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(57) Abstract 

and feedback means for tracking acrua. use of ^ °m S-Sn,™"" ^ " ^ C ° MTOi ° f thC C ° moi meam ' 
as part of the streamed content or through a sideband hrtTneT n£ n . C ° mr01 T^,* may 0pera,e in acc °""n« with rules received 
no, the content can be copied or rransfeU and Shertd un ?er w a, ^KS^'S?. T ** ""^ inC ' Uding wtah " " 
devtce and used in a second device. The rules may also include 1 L • k T , f S rece,Ved con,ent ma y ** checked out" of one 
and/or transmitted to an external ^^S^mV^lT^,^' " aUdit information * c ° llected 

A "trust plugin" and its use are disclosed so that iwd7*S.^! P * l ° Ca " plugins to assist in renderin 8 con «"'- 

without the necessity of requiring any changes to he medfa Save £, 8 , T W * un P r0,ec,ed «»•«« ™V render protected content 
MPEG-4. MP3. and the RMFF format P * ™* St ™ mt * C0 ' Ue " , "»* te in a number ° f different formats, including 
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FIELD OF thtt TIV^TNTTOrj 

This invention relates eenerallv t« ™ 
rt . , , aies generally to computer and/or electronic security More 

particularly, this invention relates to systems and m «h a r 

streamed format. ^ ** PrDteCtl ° n of ^°™ion m 

BACKHRnrrism 

Streaming digital media consists eenerallv, „<• 
recetved in a "stream" of , ! 1 °f sequences of digital information 

com™ owners ,„ allow s lro iLI I C< " ,Se< "" !M """"""^ ° f 

can be protected. * 3 mMh0d0l ° 8y " y * h -* ««. 

SUMMARY Of TH1T l fJ yi? n . [nn 

•0 *e MPEO-4 specification « 1^,7 f V " ^ P " SUam 
with .he proviso .ha. ,he described 1 """" m ° dif ™ i ™. »d 

respects. A variety d ffZ, ^ ^ ^ ^ — - ta 

embody ^ . ^^"T ' S taM "« - ^C4 

S p=cifica„o„ (iso.ec ; R ,t;c ^ enco r p ~ * ,he 

content protection fcnctionaii,,, L ol ^ ^ ^"t^"' 

^.l^cc— r s - d -~- f 
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Systems and methods consistent „, ilh lhe , 

protection and d gitaJ rights manaoen,^, a - • "anient 

s ngnts management. A streaming media player consistent with the 

«« tnchtdes content, which is CTCWed „ ^ m w ^ a secm * 

r i rrn info,ma " on designed ,o conm - ° f *< «-«■ ^ « - « 

ke suttabie for dec Wlon of a, ..as, a portion of the content. ^ media 

Hi: comro ' T tmaK incwing • — * °^ — - 

««-, cryptograph* keys , Md raMm fer decw|jng ^ ^ ponjon ^ 
brief mrsr-grpr,,^, ^ r T|| E nRAWmrg 

soec T ^ aC r Panyi " 8 dra "'" ,8S ' '** "* » ™« a part of this 

spcc,f,ca,.o„. m emhon,™, of , he invent ar,d, together with , ^ 

-V -xp,a, the adages ,„ d pri „ c , p|es of ^ jnvent]on ^ ^ 

F G. , shows a generic system concern w,,h the present invention- 

FIG. shows an exetnpiary Header 20i consistent with , he present invention; 

F 0. 3 stews a genera, ending forma, wW , ^ _ 

.hepreseI°„v^r°" em ^ CTf0rSt0ri " 8ar ~^ 
FIG. 5 shows an example of a control message format- 

FIG. 6 is a flow diagram illustrating one embodiment of the steps which take place 
using the functional blocks of FIG. 1 ; P 

Block lT 7 niUStrateS 3 WhErein C ° ntr01 mCSSageS bC St ° red 

FIG. 8 shows MPEG-4 System 80, consistent with the present mvenUon; 
FIG. 9 shows an example of a message format- 
HG. 10 illustrates an PMP tah.e consistem ^ ^ ^ 
FIG. 1 1 dlustrates a system cons.stent with the present invention- 
FIG. 12 illustrates one embodiment of the DigiBox format- 
FIG. 13 shows an example of a Real Networks file format (RMFF)- 
FIG. 1 4 shows an RNPFF format consistent with the present invenuon; 
FIG. 15 ..lustrates the flow of changes to data in the Real Networks file format in 
an architecture consistent with the present invention; 

FIG. 16 illustrates a standard Real Networks architecture- 



SUBSTITUTE SHEET (RULE 26) 



WO 99/48296 

PCT/US99/05734 



- j 



invention; 



HO. ,, shows a * stKm tomm consisten , ^ fc princ|pte ^ ^ ^ 
HO. ,9 show, one embodiment of protection applied t0 ^ 

invention tXam 6 ~ ^ » ilh - 

FIG. 26 illustrates a Header CMPn oahi 

FIG >7sh„w, , CMPO2601c<,nsls,e "'»i">>h=presen.i„vem,o„; 
HG. 27 shows exemplaiyComenl Management ProieeHonni, . 
•he pnnciples of ,he presen, invention; ^ ™ C "°" ° bjK ' S mmmm ' «» 

DETATI F.n np SrR | rTTON 

Reference w„, „ 0 w be made in detail ,o implementations consist with , h e 
principles of the present invention as illustrated emwiintlK 
. "'"strated in the accompanying drawings. 

The following U.S. patents and applications, each of which is assi<Jl , ,„ 

APP canon SeHa, No. 0 8 «,, 7 , 2 , „ w on Augus , ^ ^.^^ 
^. Steganograpmc Teenies for Securely Delivering E,ectro„ic Digital Rights 
Management information Over Insecure Communions a— * U S Pa, „ 
Apphcation Sena, Mo. 08/o 8 9, S 06, filed on August , 2 , 1996 ^ ' ^ 

^^^^^ G ™-*^"»* "--PpH^n cll 
08/706 ' 206 - on August 30, 1996 ("Ginter. '206")- Shear et al T™, . 
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Closed & Connected Appliances "us P*t»„* a >• 

Securiiv -its d . '"' ergetal - ObfiKCaUon Techniques for Enhancing Software 

rcl »?t APP " Ca,i0n Serial No ' 09/095 ' 34<i ' fiW - *» ». 1» 

".827,508, issued on May 2, 1989 ("Shear Patent") 
HG. I iilustrates Media Sys.em ,. which is capable of accepting, decoding ^ 
rndermg stream* multtmedia cement This is a generic system, though i. 
*«. asedonihcMPEG.specincalion. MediaSystem , tnayin Ide^ 
hardware (indudmg integrated ciraljB) „ . ^ 
Media System 1 may include a Protected Pnv„<i„.. c ■ anooaiment. 
■he Ginier '333 application. 8 E " V ™ (PPE) - » 

U, FIG. 1, Bi, Stream 2 represents input informal™ received by System 1 Bi, 
Stream 2 may be reccved through a connection to an external network e T, tel , 
-nectton. a cable hookup, radio trar^sion from a satellite h-dcJ^jtZ be 
recetved from a portable memory dev.ee, such as a DVD player " 
Bt. Stream 2 is mad. up of a group of relaled streams of information includint 

?zt^:: Audio sa ™ *■ vide ° sacm 5 - ^ *« 

number of separ^e videl^ ' " ^ ^ 5 — " 

WtoJ*" ^ M,TeSPOnd Se,Kra " y '° — " d£SCnM in "» »W forma, as 

Ration S,ream 3 corresponds generally ,o the BITS stream and the OD 
( Object Descriptor") stream. 

sireams AUdi ° ^ * ""' ^ ^ 5 <™ « » - A"* and Video 
Control Stream 6 corresponds generally ,„ the D»Mp stream 

informaZ'l^ 4 ^ <and ""^ *™ **> 

nfoma Tni s tnformatton ,s used to create the sound rendered and output by Media 
System 1. A»<i.oS«am, mavrepresei „ multi <P byMed,a 

y em i. Video Stream S may represent multiple video streams These 
^^^^^^^^^^ 
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video outputs. 

^o^ZZT^T' 0 '^ , re ,a ted ,o 
Control ^ * • , , JCCtS * 0r ^ ,nd « v idual streams. 

^0 j u : ;Lt;trr'; nfomation ' ~ - >— 

message. The coll L ™ a,i0n mC ' UdK - f °' -* *»- 

usra P n,c Ke V s ^d rules governing the use of content 
Info Stream 31 carries additional information associated with the content in nth 
components of Bit Stream 2, including but not limited to mn h' 

frndons such « _* S :r '• ^-P— « forcontent-specific 

Each of these streams is made up „ f ^ of in 

embodiment, each packet is 32 bvtes in Imnh <:• ■ . ""*empiary 
:e. ,,„i,i„ u ■ iDy,es,nlm 8*- Since a single communications channel 

embodirnen,. each packet may mclude , ndlv ,d„a, stream information 

Exemplary Header 201 is shown in FIG 7 Tki.y, s 
■he Organization, Audio and Video S.,ea!s A h This header may generaily he used for 

below. Header 20, inCudes Fie 7',, ** *" ^ h 

as a header. Field 203 id™,« h ! m T " " Pa " em idem,IV,ng ^ 

Option Stream, C.I ^ <* *~ 

Identifier (ES ID) which is used ,T C ° nttmS " S,re » 

where JL^^tltrT ^ * * " «~ 

Field 207 contains a time Z Z^Z^ " — ' ime ' 

•rack of the elapsed time from the c m for exam P le . k «P 

used by Compostte sTock , d I T"' " ^ *"» 207 ^ * 

Time Stamp 207 may £ f 7" ^ " » "= 

may therefore specify an elapsed time mom commencement of rendering, 
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foMowmg packets which „ pa „ of ^ OTeam of 

,s encoded ,„ a binary forma , For Field 202 mighl 

sequence of bi.s which is recogruz* as indica,i„g a header, aTd Fieid 203 mi,*, 
-lade two bits, .hereby aUowing encoding of four different ^ ^ 

Returning , oFIG '.Sys.emHnciudesDen.^T.whichaccep.sasinpu.Bi.S.re™ 
2 and rou.es .nd.vidua, s*e™ (some-mes referred ,o as Element S .reJo^,T 
app ro pna.e functional blocks of the system. ' 

Head 2 ^ enC ° ded * e f<,^na, illUS,rattd ™ FIG - 3- to this fig™ 

Header 301 ,s encountered in the bit stream, with Packet 302 fen • ., 

Packet 308. following, and so on through 

When Demux 7 encounters Header 301, Demux 7 identifies Header 30, as a header 

P tr r r mfon " atio " ,o ,demi,v **- 3 ° 2 - 305 * — «i 

Audio B T 'J" 0 "" 1 " DeC<,mpraS0 ' ««* «**!. Element Streams from 

Audio Stream 4 and Video Stream * ^ A a 

■he stream inform , , decI> ">^« *»« streams. As decompressed, 

e strean mformatton ,s placed in a forma, which allows i, to be manipulated and outpu 

ati::; ;r iay ' r ere - ummph — - <«* -> *° 

e oThe aSPCC ' V ' de0 S ™ AV B " 9 - - .o assign each 

pacicet to the appropnate stream. 

Organization Block 8 stores pointer tnformation identifying particular audto 

,„g, for example, where the o bj ec, is te ,ed, when i, is to be displayed (e g the 
"me stamp assoctated wtth the object), and ,,s relationship to other objects e g " 
vdeo o OJ ect ,„ fa, of or behind another video object,. Tnts orgarJtio lay ^ 
_d .erarclucally. with individual streams represented a, the .owes, leve 
P. p.ngs of streams into objects a, a higher level, complete scenes a, a stiU higher level 
and the entire work at the highest level. ' 

represent on of a work. In this Figure, Tree 40. represents an enttre audiovisual work 
Brar.cn 402 „ a Hrgh-leve, organrzation of .he work. This may include 

SUBSTITUTE SHEET (RULE 26) 
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EachofthenodesspecifiesorcontainsaparticuJarES rn 

specie audiovisual elements J ~ °; 8m,2a, ' 0n B '° Ck 8 *° de,emi " e 
organ^on Md relationship of ^ «"~ and ,o determine 

decompressed audiovisual „ jKB C ™ B L B,0Ck ' ' ^ 

by fn^.ion J 0rganj :,^ £ «— ^ ohjects a, 

organtzed info^ion ,o Rendering Devi ' w h „ T" ** ' ' "» 
speakers. «c *' Wh ' Ch m,ghl be * "^sion screen, stereo 

S*eam C 6 ~Z "ZZ2 * 

* HG. 5, which snows Con.ro, Messag ITo ' ^ " "'"^ 

5M ~ ^ *»• Header 50 2 coLslf^'mZZ "! * 

■demi^g the following i„ formation . . ^*Z** " d " d " ' b » P— 

*■ - a header for , he organization stream m ^w^ T ** ^ 
control message; Pointer Field 50, , " ' d "" ifies lhis P" 1 *"'*- 

— g e ; Tim! Sta.p T" ** " * "* 

>^*~L*zzzzzzz:'*' n '"-'~* 

controiied); and Length F i e , d 506 , whfch J^ZZ^r " 

Message 503 may include packets following hZT T'^ ^ ^ 

» "0. 3. In the exampie shown. Control Me&saee 50^ ? ^ f °™ *°« 

01 MesM 8 e 501 =ames the unique ID 1 1 1000, 
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encoded in ID Field 504 Thic^„- i 

Po.n,er Field 505. The aJodaied M E& M " * ' * 

Fie.d 506. ^ C0 " UinS '- 024 - bM by Lengft 

in «. : may be desnab.e , 0 ^ JJ^^T " *— -eve,. 
Since Comrol Block 13 will „nen,iw„ ^ ^ orta, "P eri "8 by Men. 

Control Block 1 i im«i »8«izanon Block 8 less necessary. 

Con.o„e r „ and with £ " ~-*«<* wi* AV Block S tr eam h 
*— I. ft. S tre am Flow Combers „ showi , ^ ™ In «* -*»««« 

associated functional block Thic a iu • , • ^ onTO »er and then passed on to the 

™bod,mem.,he Stream Flow ConttoMersmirtth . blocks. In an alternate 
nmctional blocks. B "" e8rated dta "'y <"'° *e associated 

au,he„,,c a ,, on code, and/or digiL S1 ! Z t haShi " 8 ' — * 

reived from Demux 7 D«™ „ ' ** 

authenticaion code election and/,, .7 c W»8raphic hashing, message 

action, as ,s descrtbe t::;:,!: a t;. C ~ C Va ' ida,i0n ~ * 
may also be U sed. ,„ „ J^*"' *~ °' e ° V «"~"<< processing 

— e u sedbysys,em ,. ^ reductions ^ 
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may contain multiple AV Blorir* M ^ u j.. 

p— . «. „i, lve m r riti 8 ' r~ Audio or vidM *- - 

unacceptabie in a reaM™ svsterT ' ' *~* ~ "** " 

^ loloCKS - buch an embodiment would allow for on W m^ 

routing of streams to individual functional hlorir. c pnorroine 
-> / "rational blocks. Encryption of the entirerv of Rit 

ota*. have no abi, iIy ,„ detect or JZZT 7 ? 
streams to taciona, blocks ,,h a h 17 f ' " " — 

When a header is passed bv Demnv i * n *u 

flow conquer assoctated w ,,h Z I 7 H ^ ** *" "~ 

f„ii aIMWIln,nat Mock reads the header and determines whether th. 

^^edsotha.oonvent.oJve:!: :^f~ Wfa -' M '^'- 

If a stream flow controller detects a set governance indicator it passes the ES m 

associated with that stream and the time « am « • , ESJD 

Control Block 13 a.on, r ' 35500,31 CUxrent P ackets t0 

Block 13 along Control Line 14 or 15. Control Block 13 then uses the ES m h 

A simple governance case is illustrate k., no * , . 

Place U si„ 8 .he fcncona, blocks of ~ ™ ' ^ * 

and determines that the header is pan of the AV » , ' ' 

deader ,„ AV Stream C^TZZ ^Z 7 ^ ^ ' 

header ar«l determines u,a. the . COnm " ler 1 8 reads "» 

Mep 605, AV Stream Controller 1 8 obtains the ES_ID and 

SUBSTITUTE SHEET (RULE 26) 
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^^p^-Cl^l■~ i ■ ,,, " 7 ■ ,,,, • <,,l 

tan in a convent! mam er. ^presses and processes 

PO„,o„ s of a S ,ream J d JZ ^ ! X 7' e ' " * «* *«« 

number of k « ys) wiu „ 01 be a Z I rriT" T" °"' * <* ' 
number ofcon.ro! messages with " *" aSS ° Cia ' ing 3 

for a parted period T, ' W,Ih "* "«* 

conJ, k el^ o 6 ^ fcn,,a " 0n W0UW ' hOT te - *~ 

a " ema,ive ""-"im™. Control Btock , 3 may proactively send 
from Organization Block 8 and AV Block Q tn r ™ 

- >o„ g er be,„ 8 rendered, Co J £ U 1^ ^ " "*» * 

SUBSTITUTE SHEET (RULE 26) 
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actually used Control Rl m ob i^ than are 

ControlLine , 6 may also be used ,„ control the operatjon c „ 
In panicular, Control Block 13 mav a„, r«<x .■ composite Block 11. 

l-ompostte Block 1 1, or may force erasure of the illegal object 

leas, m ^a^be^ , ^ b0 k dimen, • °' °° n,r01 * C °™' "» >« «-v a, 

g control Stream 6, or, alternatively mav be 

restden, ^ " ^ Peri ° diCa " y a ~ 3 ^ ° f *« ~ 

appropnate action, including deletine the in*™. • Y 
Block 8. -nformat,on currently resident in Orgaruzation 

wh,ch has been received by Control Block ,3 ^TT "* 
*e presence of Contro, Line ,6. " e " mma,,nS " "« « ~» f <» 

Control Block 13 may also be response for securely validatin. the 

SUBSTITUTE SHEET (RULE 26) 
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orotec, "" ly 3,50 i " C "' de " hBr - RiShB d as KP 2^ 1RP 

protected processing enviromnen, , e e .ppp,. . . . , Z ~ m 22 15 a 

»d which may store sensing i f ' ""Controls may be processed. 

ay store sensmve tnformatton, such as cryptographic key, rRP7? m u 
'"corporated within Control Block 13 or m „„i, gr pmc Keys. IRP 22 may be 

22 may inch.de CPU 23 ^ I' " ""V™"™**'- As is illustrated, KP 

* *l« »c Za : ^rr;: f ™ g c ~< **» 

^embodiments L , 6 ' ^ ^ ^ ta 

tonality may be ^ ^ *— ^ h - 

Governance Rules 

Control messages stored bv Control Block 11 m.„ k 
illustrates the form in which the con. , ° Ck 13 may be "^mptec. FIG. 7 
coning of Array 7,7 C, n meSSa8CS,My * ^ ^ B1 « k »• 

may be combined with that of Column Tl ""^ ™ S 

m as the identifier ortv „„ ne 7 ' *" " ,f ° raa,i0n ° f C °>™ 

■*-*r. Column 0 ™™ TlT J" ' T" ^ * "» 

'-ion 1 has the n>,5.«, controls s^T ' C0Mro ' ^ " 

verified prior to LUt^X ~ S >— '™ "System I, be 
include System ID 28^vhich st governed content. For example. System 1 may 

on a system in which *- 3 — - only be decrypted 

in FIG. 7, in which the IJagTi shot ' " ^ ^ " « ~ 2 

may be imphcit, and a^^IT*? " ' "* — ^ * 
store only the ru,e ,he rule " „ " ^ % * ,abl,! ^ "» »»» 

the functions) ' ^ ^ C " 0nS (C ° Mds > * - * or only 
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In .his case, when Stream Controller , g encounter a Header for stream 203 1 

Message 20 which governs s^ 3 c 1 .T" ^ " ^ ^ 
System ID 708 mm , u Authonzed System ID 708. Authorized 

1 messa ge (e.g., Control Message 9) which rrmr™i *a 
could then reference in order to nht a ;„ 1 Messa g e 2 <> 

order to obtain access to the Authorized System ID Wh „ 
might exist, for example, if a cable subscriber h,H 

oh,, z;," co ~ g c ~ 707 — s — - « - 

System ID 708, speci " ^7 " ^ - — » *■*•»». 

Olograph* ^ 70, ,o C cll^T T' ^ ^ 
*cryp, -he stream corresponding , 0 * * - C ~< ™ « 

Commands 70 7 fail ,o release cLo„"T 7 ^ 
-* .» decrypt , he s^ ^ ^ " ,h " S ^ ^ > « * 

In order ,o cany ou. ,hese tactions, ,„ one ernbodimeM Conto| 

n- Tne rne m o~!.herr I * ^ °' ^ * ° f »° 

message and IDs o^any goTemecl ES^ as ^ oclatlo n information (ID of [he control 

Since the functions being carried out by Control BWt t 7 
sovemance of content which may he valuable CoTw £ ' ™ " 
completely protected by a harrier which resists ZZ H b ^ ""^ " 
above, the pr<*ess,ng unit secnre memorT , SerVa "° n ' 
nay he contatned in mr 2 , ^ Van ° US ""^ S-ema^e-related elements 

Con^ll^ T ^ ' nC '" ded " ° r *» C °™' Block 13. 
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hardware burtons, information displayed on a v„ ' n™t,onal,ty (e.g., 

control message may reouire Iha t h e ^ A Pan ' CU,ar *"» * 

■hen check against a stored password to ,n!2 he 1" * ^ ~ 
render the stream. '° '" sm * al ,he P^ar user is authorized to 

-dress, emat, adores^ ™ ^ f ^ ^ » 
Port 2, to Extern, Server 30 fer J fi "on ^ ^ *" " ~ 

Alternatively, Conrro, Block ,3 may be desi m H , ^ographic key. 

*. information pending to hoo^^ " " 

Control Block 13 might recutre that , ""^ * ^ * 

external conneoion. Pe " ding ' he ^blishmen. of an 

requ red to view Stream , • ' 11 0ther users « 

Mially anempts ,„ access be H ^ *— " 9 ' *• — 

mpts access the vtdeo et^ed in Stream 49, Rule 7,0 c„„, d puI up . 
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information JpLlcr k •. RUle7,0CO '" dstore < M ™*cpa ymm , 
indicating tha, adi«Z,T *" ^ "**" reMi P l ° f • "«der 

^ had m rr i^r r u wo, " d - che ° k - *« - *« 

Ruie 7,0 cou,d 2, TZ. C 50 ^ 

rw . Cryptographic Key 71 S to Organization Block 8 

Cryp.ograph,cKey7i5match es0 rganiza,i„nStrea m5 l n 

references the video from Stream 49^,^ 7^ O^.zatton Stream 5 , 

Rule 7,0 would refuse to ZZc ^ advertisements from Stream 50. 

Organizatton sj^ m "° SraPhi ' ^ «™ » 

,„ n 77 coms '""« b '° *e video wtthon, advertisements 

-ally render*^, « J^T **" "» <*-* -*« 

couid use this ,„,„" T „ SMP ,,n,e f ° r ' he Conrro, Block ,3 

from Stream 49 T* JE*. """"W"- of the second portion of video 

necessary because Composite Block 1 1 mav h , , dls P ,a y ed - T*» may be 

--orapaJ^eoT^ 

» contro, condition, d^,i„ 7™°" °" * l0M,i ° n « 

entered by the user. nf0rma "°" C ° U ' d be SWred in System , or 

™. wh- :;:;ir;ri o : at 7 5 of ^ m - ™° ~* *-* 
u* -™ „ f :„ *l; 77 ,o ,he number ° f usk — - - «. 

-v user has to spend, etc. ,„ ope™™, Rule 719 may ^ ^ 
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spectry *» the w„ rk may no , ~ !T reaChM R "' e 7 " ^ 

numher or password, or conlaclmg m * — * ■ «* card 

-h-^ir^r a ? may con,roi - *■* ° f a - " * *■* - 

The rule may specify that an ^d'cation^e sec^dj^stor^reTard 6 ' 11 ^ h^'h ^ 

"checked out" the work Ifth,,, ecurel) ' s,ored re S^">g whether the user has 

relevant control meat**, h. . ""ratted m encrypted form, and that the 

indicator he ^ZTl ^TT" ^ " ™" " »«■* - - 

- or copy the wol t^ , dt ~* *• « — *■ » 

has not been checked back in. checked out to another dev.ce and 

work on the on g i„a, d ^ 'two de " ^ " - **" <° « - 

in the second and rese i , et T J S T T"''' "» "« - he,„ g set 
only used ■„ one " S1 °"* " - Nations, b„, 



Because the con.ro, message tnciudes t« ^7 T* " 0ri8ina ' *** 

work couid ordy he used in one tZZ^ W "° n ' ,hlS ^ ^ ^ * 

more sophtsticated device (e g a person^ " "* ^ " 

(e.g., a hand-held musrc p layer) . § " ft " ,C, "" ,S » "» »— ' 

Rules may also be used to snecifv tu*+ • • ■ , 

me tile. Such rules could operate similarly to the 
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techmque described above for transfemne a file frnmn a ■ 

require that the onginal file be enf ■ t0 ° F COuld 

a downsfrea* d , st „ b ™ J ° f ^i*""*" — *• -Wing a„o»™ g 

am 5, the Com, „f a wattnMrk „ ^ 
( *. External Serve, 30). Rules may be obtained through p orl 2 ,,,„,„. ,„ . 

«™ va.ida ion ^ I ~ ' COnKn ' '" taaIro " and/or 

Control Message Header 1202 and r .7* ^ 1201 iS made U " of 

s ncdaeri^U2 and Control Message Content* l im a j 

elsewhere, Control Message Header 1 2n? • , " dCSCnbcd 
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,207 may include vanous ^ of ^ Geographic Key ,209 

and Validation Data 1210 Data 1207™.., i , . w-proc *-ey iius>, 

asDeci„ca,i„„„r„, ™V also include cryptographic information such as 

a spec nc tion of the encryption algorilhm. chaining modes used with the algorithm keys 

and initial.zation vectors used by u,. decryption and chairung 

d.!:: c t k inpm ,o ,he ^ - - ' 

for decyp ,o„. to one well-known prior an embodiment, th. initial veclors 
£~d by staning wilh a base initially vector (a 64 hi, random number, LZ^ 
m the frame number or start time for the content item 

Validation Data 12 ,0 conned withinData .207 may include c.yptogn.phic has or 

val TT" m ~' ""»» >"* *" «- i 

validating digital certificates. 

™-- *• D « B - -V ta-P— the informauon described above as pan of ,h. 
control message, including the mles. me stream ,D and , he cryptographic ^ ^ ^ 

be read bv Dr^'T" 0 "™^ ^ ,2M »" "* • «- * can 

r h t rou,ed ,o c °" m> B,xk i3 - 61 -* - -»«««. 

nestu.giBox 1204 within Control Message 1201. 

Some or all of the contents of DigiBox .204 will genemHy be enctypted This may 
ncludeRu.es ,206. Data ,207,and possibly someor all ofHeader l^TystemTlyl 

ikp _2, so that the D.g.Box may be opened in Control Block 13 without 
the necessity of routing the DigiBox to IRP 22 for processing i„ on k „■ 

. , . , processing, in one embodiment the 

c^ptographic key used to decrypt DigiBox ,204 may be stored in «, 22 (or Con^ 
Block 13), so tha, the DigiBox can only be opened in , hal protected environment 

Rules 1206 are rules governing access to or use of DigiBox Data 1207 ft, one 

R e ZZ " * ~ ™* — «* *- ,206, howeve 

totypted thnough use of the key, which can o„,y be obtained in compUance with the rules 

anomer embodiment, Data ,207 may ine.ude additional rules, which may be e*nT* 
ftom,heD,g,Boxa„ds,oredina,ablesuchasArray717ofF,G 7 
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The rules governing access to or use of a nioin^ 
shouT, i„ FIG. 12) or may be se^ , (« 
contamapointer r e Z t^^^*^™ Aul^206woald 

Dig*ox, Control B ^ : ^ * ^ ^ 1 ^ ^ ° f ' 

~dr^ 

Pipelined Implementation 
content in real time ^ rend J n !" T * P ' Pd "" d »*"" ^ * 

— "ecu, in a highly efficient maimer ^ , " ^ '" "* ""*'""« I™-* 

or ,ha, ,„comi„g Bit SffKm 2 « * «. H may be mterrupted, 

some portion of the incommg data. ^ CaUS '" 8 11,6 ll)ss ° f 

An alternative embodiment of Svsiem i «j j 
though a. a possible „ m lhe ^ <° — — P^ems, 

cos, m overall system security Thts T """"'"^ ' 

which shows System HO,. eem hodiment is illustrated in FIG. 1 1, 

1 ,05 md ^^^^ Video 
passes Otgamzat.cn Stream o * " ^ * D ™* 1 '»'• 

- Vtdeo Stream 1,05 JaV B c^T " ^ ^ ^ S ^ »« 
op-e s,milar,y to theit counters ^^T^-T ' ^ " 
1 0. which organizes the infonL P ° n " i " i ° n '° C ° m P° siM Bl °<* 

— «... ^-t^r7.r*■ , T ,, "" ,,,^,,h, 

Stream Flow Controller 1 1 12 anH ^ ^ validated bv 

System 1101 differs from System l ^ 

touted, and integrated dtrecly ^ 7*°' - " 

. .01 thus lacks a separate conrrol block , 7 8 PipeU " e - SyS,em 

Composite Block , ,,„. ^ ' »'» •»* *» *. 

System 1. cryptographtc keys are received through Control Stream 1 ,06 
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fcys are included ormTw h 30 ' A "^^ »««■ M05). Those 

P—lar conned stream ' ^ « * - ^ the 



confer. ,f Demux , 107 IT ^' ^ ^ te '» *• W^ate stream flow 
S^ean, Flow C 1 w ^ ^ " > ' 

or as a key seed That stored info § ^ information as a ^ey, 

Swam Flow Controller 1113, associated wi,h AV Block 1 109 ™, 
~,,ar w , he operat.on descH bed fo r Stre^Flow cZl^ w"™"" 

composite block (FIG 1 Prmt™i i • . iceaoacK channel from the 

fact .a, Corn ;i:; eX ' a - «* S ™P'~n rel.es on tne 

.o define , e J^Z^.^ *" °—-*« B.ock , ,„ 8 

Composite Block 1 „0 " * ™ " D ™= » " •■ 

feedback, stnee Orgamzatton Block 1 108 may be destgned so tha, 
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it accepts information only through Stream Controller 1 1 12 an. ^ n 

may be designed so that it only dec™,, ^ C ° ntn),ler 1 112 

stored in Storage Location U ,4 " — *" of.uta 

In such an embodiment, security mav he fi,rth. • 
Memory „ , 8 into Organ.za.ion Bl '«■»—« Secure 

hash of the me ^c^.*r ^ ' "* ™* — ■ «W or 

use fa Main Or E ani Z at.o„ BIock J ' ' ' ^ C ™ 

periodically compare ,he or^tionl " "•° rSamza <'°" Block 1 108 may be used <o 

indicted* an atucker has altered th" " sported, M. may 

"19, .hereby possibly •£^£"7""" " "* °— 

measures, including rep,ac,„ g the contents of Mail " ^ 

•he contents of Secure Memory 1,18. ^ zauon Block Memory 11,9-with 

MPEG-4 Implementation 

The generic system described above mav be emh^- a • 
<*— in PIO. 8, wh.cn shows MPEG-4 Syl™ ^ " " ^ « 

MPEG-4 Sys.em 801 accepis MPEG-4 Bit Stream «m 
Stream 802 .ncludes BIFS Stream 803 ODS, „tT " MPE °- 4Bil 
806 «d fPMP stream 807 jZ , iT „ ' *— "* ^ S «™ 

header informal and routest^ " ^ ^ ^ ~ 

.PMPSys,em8,2. aPPropnate, toBIFS 809. AVO 8,0,008,! or 

lPMPSy s ,,m 8I 2rece,vesrPMP m essa 8 es th r„ ughrP Mp s , ream807 _ 
messages may include hearW i„r stream 807. Those 

aviated ^J^^^^^"-*---.-- 

may include a cryptographic^ Id^ "** "«* 

Stream Controllers 813, 814 and R i s ->/.» » j 
passed ,„ B.FS 809, AVO 810 and OD 8H ^ 2* and/ ° rS0Vem "™" 

streams which include the obi,,, 7 " Bma "^ Stream « 

which « A ,r a,so inciudt ' poimer *° a « ™ 

System812. taWe ° r 0ther form ^thin IPMP 
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*** fam ffM P Sys 2 \" d ' ' 9 : a ' h of wh,ch «— * -governance 

■PMP System 8,2 Sir n " a "°" °' *° m «•* to 

which IPMP System^ m v 7" ^ inC ' Ude ^ ~ ' «- «-* 
be used and It ' '° ^ WWCh ™ ~* (•* *hou,d 

In an alternative embodiment, IPMP Sv^m an 
Composite and Render 82I by " """" ^ 

through IPMP stream 807, . 1 7 BIFS "* 

the proper content is bei™ ™h» .1 X 1 2 can confirm tfl at 

Compel and ; ~ T reCeW " 6 fadtaCk "» 

"* for, 822 whi hi 1 llo S '" Ce 809 my — • 

creating . pos ib J Zt^T ^ B[FS 8W ' 

— d accesl til W '"^ " — ^ - - Sain 

y ine ES _rD and time stamp directly to IPMP System si 7 n. ■ , 
send this information to OD 81 1 whi,h , Alternatively, it may 

S oven,s that ob.ec, „ r streT 1 s ^ " ** 

^uestdecryp on 1 ^ Z *>"> *- ™P message n, ,0 

,P ' atidation, and/or governance from IPMP Svstem s i ■> a , 

connected to a dev,ce or me™ , ' Ch may be directl - v 

aev,ce or memory (e.g., a smart card, a DVD disk rt r ^ . 
network (e.g the Interna a m»™ ' d uvu * sk - etc -) or to an external 

contain specific controls needed Z^ Jl 3 ^ * ^ ^ ™> 
information, such as for examnle 7 ^ " ^"^ rK "" red 

object, A panics 0 D Message mtTaZ I 7 " 
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904 , tetifi e S a panic* EU J" trrr T ^ P ° ilto 
to, area*, Finally, OD Message * | „ " aPPliC1 "* e " 

a panic* n»MP L V T " ^ " ^ "* "** 

u • aescnoes each elementary stream which mak^ , m tu a 

object, and identifies the IPMP message whirh i P 

be stored in OD 81 , a l u ! ^ ^ ° D Messa § e 9 °1 ™ay 

O Lues ^^^constitutmganobjectdescnpto, 
Uo Ject descriptors stored in On 8 n 
u u 1 may be "Pdated through OD Stream xoa 

be used ,0 change ,he IPMP JT t T riP ""' ™ S meChaniOT 

the IPMP pointer. § J deSCnpt0r ' With ** exce P^" of 

00 8^804 can also carry rPMP_DescriptorUpdatemessa.es Each. h 
message may have the same format as IPMP m> h 
in.i ^ • ™ messages earned on the IPMP stream 

including an IPMP rD and an IPMP message 

i^Uy, as *. ,oca,io„ a, which „ 3 ^ "* ~~ "* 

■PMP m essa g e associaie, J^^T " T " C ° 1 "™ '°° 3 ' ^ 

,002. - ' fW Mam|>le ' " aored at slot 4 of IPMP Table 
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unfilled, which otherwise might be dirr^u • 

longer vaUd and which may be replaced Vah^ H " *** " 00 

Source Indicator 1005 ,s se, based on whether the associated n»MP m .„ 
recetved from CMp Swam 80? or ^ QD ^ ^ — - ™P message was 

These indicators allow IPMP <j V c tAm 010* 

may be designed to automattca.lv ^ " 'T ^ ^ *" 

mdtcator ,s se, ,„ vahd, IPMP System , ,2 k *' ° ""' " ValW 

indicator If the , „ " *" " esisned t0 ch «* «» «our« 

inaicator. If the source indicator indicates that th« , 

•hroogh OD Stream 804, IPMP Sys e^ ^ h T ™ " C * - 

~» with the new message. ,7 how I Z„ T " ^ * ^ 

5<=- ii, nowever, the source indicator indicates that th- 
abated message was received through IPMP Stream 807, IPMP sZ 8U ! h 
destgned to check me source of the new messa« That k ' ™ P f S,em 812 ma >"'« 
examinmg me header associated with* " e «°»Pli"«° by 

was pan of OD Stream^ I^I Z^TsTT, " ^ mMSa8e 
^ this informs by^ "mT^ ™ **** « " 
from Demux 808 or through OD 811. r "* ived 

IfU,eneWmessa 8 c ^"^ughIPMPSrream807,rPMPSystem 8 , ?m - 
designed to store the new message in Table ion, „ • ™ p System 8 12 may be 

new messagecame through OD Stream^ 1 * eX ' S,i " 8 ,f *• 

Signed to reject the new n,^ °" ^ ^ ^ 812 ™? b = 

messagesinthelPMPstream Those™! The studio may store IPMP 

System 812 reouire tha, a Z^T ! ^ "** * *" ™> 
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cable Cam*,. tJIZTZ u Pr0Vide m ° Vie *° ' "* - • 

,o insOT jli ° it, ; "-""r* ,he od — ^ - »< 

include a rule in ,„e 0 D T . '*— ' ^ *» 

rule m the OD swam specfying ,h a , the rPMP p 

user P^d for premium viewing deer™, ,h. • ■ , ™' ne ' f " 

for, bu, insen advertisement J re ^ h * 77 ' f ~ - ««- Paid 

no, been paid for). ^ b ° """^ if » rc ™ ™wi„g has 

- - by memo t ^1 1 * - -Id eliminator alter tne 

by ,be studio ,o a rival mot b m !' " T *" 3 ~ 

-Id specify me j£ 1 T ^ ^ « ™» «<* 
p ' yffie, >T K ''fn™'r U Ieswh,chwouIdbeallowed t hrou 8 hmeOn„ r 
•hereby proving the studio a high degree of control 

raring ,ha, a payml „ f J1 ' k " ^ ** ' ■ 

viewed. The user ^ h , '° a,:C0,,m W » «" ™™= - be 

Because me user's rules could „„, X 

,ha, „s ^ZZZTT T ^ ^ ^ ~" * 

MPHG. sterns. This may be poss^e J£ ~ II« "IT* ^ ^ 
•he forma, of ,he informal comamed in ,he IPMP sZ IT^ 

content providers to encode i n f„ m by a " owi " s difftra " 

k ers to encode information in differing manners 

.ha-arecom^^" Z^TZZT^ ^ 
may be discarded Suchameeh, ■ All olher headers (and associated packels) 

— --—system to J, ll" "Xs can 
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mcorporate an .PMP System Type identic, Uo8e iimmm ^ 

BIO 'System 80, mtgh, be desjgneti ,„ be le 
s!^!r rJ. OmPa ' ,b ' eWi,hIPM?SyS,an80L could ften 

order hem iom most to least prefemd _ by ^ 

compattble for™ „ flnds , orderj „ g „ ffMp ^ ^ 
IPMP system chose ft. forma, mos, desired by ,he co„,e„, provider 

encrjT ™ f0m,a ' S ~ — W '" ™ «* ~- («- 

«*«->«-« • "H- al g on, ta , stnce ^ multiple ^ 

mpose a s,gm fi ca„t bandwidth bmd „ ^ . ^ 

use the DES algorithm m output feedback mode. 

also be ^ r e,h0d ^ SCrea,i " 8 ""*"■ - 1 l0Cki " 8 ~ 2 <" f °™« -y 
also be us* ,o custom an MPEG-4 bi« Stream for the functionai capabilities „, , 

pan.cu.ar MPEG-4 system. Systems capable „ P J 

co„s, d erao,e range „ f bMiom]ny , 6m ^ ^ ^ ^ j£« 

Governance options sui,ab,e for one type of system may be irrelevant ,„ other systems 
For example, MPEG-4 System 801 may incite a correction to the internet 
Port 820, whereas a seco„ d MPEG-4 system (for examp,e a harxuteid wl™, 
l.Ke devtce, may lack such a connecuo, A content pr„v, d er m, 8 h, wan, ,„ provideT 
opnon to a viewer, a„ow,„ g , he viewer to see content for free in return for pZl 8 
mformatton abou, ft. viewer. The content pr0 vi d er cou,d insert a m ,e asking ,h user 
whether the user wants to view the com™, 

Th. n ,r. u u C0S1, " OTKr information. 

The nr,. cou,d then send the information through a port to the interne,, to a URL specified 
m^entie. A S1 ,e a, ,ha, URL couid men evaluate the user information, and down oT 
advertisements targeted ,o ,he particular user. 

Alftongh mis might be a valuable option f or . mmmt provider „ 0 
uo sense for a devic which is no, necessary connected to ,he mternet. „ would let 
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sense to present this option to the user nf =» ™„ 
exiemai URL or download the advertisement t« u 

P-fer.0 reouirethatthe u^^l: ■ "™— * 

strean , P resetet =«d a* contained in the original MPEG-4 bit 

Header information in the n>MP srream could be used to cus.om.ze an MPEG 4 h i 
stream for particular devices. As with the IPMP Svsttm TW r MPEG-4 bit 

infotrnation could include MPEG-4 Svstem T T 'nformation, IPMP Header 

for example, could indicate that a device includes a^ Presence of a bit at position 2, 
An n»*» 3 P^'st™ 1 connection to the Internet 

dev.ee m .vhtch the rPMP system! Z^^T* ^ " ^ 
for the functionality of the MPEG-4 devtc^e Z 4 C ° mP,eB ^ 

«- header consumes less man a comp^lZ ThT ' f 

^»^*JC^^Jr te T , * ,,, "• r * , 

IPMP svstem for an fvfPFr ^ a X3mple glVen above - the 

adverfsements mserted at the appropnate spot 

connection, and would download the ntles .J^ S^T^T T" h 

no. provide any op.ion ,„ th e user. The rules mid,. ..I 7 
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«, rt „Mk • JL uvemsement £S would therefore never be decrypted and 

would be ignored by the MPEG-4 device ecrypiea and 

«. -eve D.gtfox 2103 ftom „, 2 , 02 h ^ embodi ^2,02 
incorporated , nt0 CreateBox 210I , which accepB keys md ra|M ^ ouipuu ^ 

2.03 is cTh I 2 '"' ^ inWafaiOT «— - DigiBox 
103 ,s pass* from CreateBox 2,0, toBi f Encoder2,04. BifEncoder 2,04 may* 

comn Bif ri E ": C ° der 2104 * " if « aWng ,he scene graph stream (in 

oppressed bmary form, a„ d . , od „„, com ^ g ^ ^ 

theob,ectde S cnplor S tream.andDigiBox2103. ommands, 
Bif Encoder 2104 passes ,he .bif file and >he .od file ,o Mux 2,05. Mux 2,05 also 
accepts compressed audio and v,deo f„es, as we,, as a .scr fi.e tha, contatns J sZ, 
-npuon. Mux 2,05 crea,es n>MP streams, descriptors and messages. enc^sT 
content streams, interleaves the received,^ a 

File 2 1 0* ' ^ ° UtpUtS Pr0tected MPECM Content 

Hie 2 1 06, consisting of Initial Object Descriotor 7 1 07 m A E 

nK - m Jen descriptor 2107 and Encrypted Content 2108 Initial 

-™ Z: h ' "~ ~* ^ " e ' ' BffS - Up- 

stream, IPMP streams> ^ encrypt con , eM 

if D,giBox 2,03 contains a„ Keys and ru,es necessary to render a,, of the content i, 
* — — , for Mux 2,05 to create any ffMP streams, ,f additiona, Keys o ™L 
n-y be necessar, f„ r a , least a ponion of ^ imf J^^" 

rales and keys into one or more additional Dieiiw, h 

either in the ipmo . DigiBoxes, and incorporate those DigiBoxes 

either in the IPMP stream or ,n the OD update stream. 

existin/MPPr 'I""™" ^ """"" "< -"".orated into an 

« I Oh n f,SUre ' U "™ MPEG - 4 C °°«™' *>! mCudes 

H ^ 22M ^ °— 2203 ' ^ «— -« a — 

d-nptton stream ,or OF stream,, an object descriptor srream, a video stream an audto 
"ream, and possibly additional content streams. 
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Unprotected MPEG-4 Content File 2201 is passed to Repackage 2204, which also 
acceptskeysandru.es. Repackager 2204 passes the keys and rules to IRP 2^0 ^ 
rece-ves DigiBox 2206 in return, containmg keys, rules and in.ializat.on vectors In an 
alternate embodiment, IRP 2205 may be incorporated directly into Repackager 2204 

Repackager 2204 demuxes Unprotected MPEG-4 Content File 2201. It inserts 
D.giBox 2206 into the Initial Object De, c rin,nr , h u 

r««,i, , 131 u °J ectDescn Ptor and encrypts the various content streams 

Repackager 2204 also adds the IPMPst^m if, k- • 

DigiBoxes are necessary, ' " « 

J2M «»» P-eced MPEG-4 Content File 2207, consisting „f 
Initial Objec, Descn P ,or 2208 (including D i glBox 2206) ^ Encrypted ^ 
(consisting of various streams , nc , udfa6 ihe ^ streams jf necessary) 
Real Networks Implementation 

infonJiT em ^ iraC "'' elemeMS dMCnbed ^ ™ y ta — in «— <*» with 
■nformanon encoded ,„ complin w,, h f„ mio Ktablisned by Rm , 

The Real Networks file forma. (RMFF) u^ed in FIG. ,3. This forma. 

mcludes a I** of headers a, ,he beginning (Header 130,,. followedby a co„ec,o„ of 

(hdex ,303, Each file can com*, several s,reams of differences. For each stream, 
mere, Med,a Propenies Header" (1304, used .odescnbeUie forma, of , he media 
»n,en, (e.g„ c„mpress,on forma,, and provide stream specific information (e g 
parameters for Ihe decompressor,. 

and a ^ N T rkS """" ^ Pro ' eCKd ty 3 Di * B °* »<° Header 1 301 

-d encryp.mg ,he da.a packed comained in Con,en. 1302. The al.ered forma, is 

Z ' 4 ' WhiCh Sh ° WS HeadCT - ™> Headers ,402 

and ,403, which in turn contain DigiBoxes 1404 anH Ijns 

6 IDOXes l,u 4 and 1 405, respective y. The format also 
includes encrypted Content 1406 and Index 1407. 

Network 7 emb0dimen, • dCClared ° f,he *" iS ^ 6 ™ *• «— - R«' 
Ch7 it '° ' ^ ^ <e S - """^"""J H- old type is ,he„ saved. 
Changing me type forces ,h« Real Networks player ,o load a 'Thus, Plugm," since .his 

Prouce . The Tnis, Plug™ opens ,„e DigiBox, geK approval from me user, if i, is 
needed determines ,he original corner,, ,ype, loads a decoder plugin for ,he original 

n n arid hen decryp,s and/or valida.es ,he con.en,, passing i, ,„ the con.cn, decoder 
plugin to be decompressed and presemed lo .he uset. 
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are the ro^^ ^ ^ " *" ^ " "> *« 

' ™:z' 1,i r toforceiar8erbuffmo " p, ^ k - 

an increase of 3 seconds „ used. Larger buffers are needed because of .he extra stens 
needed to decrypt the content. lepS 
• Modify each s.ream.spec,flc header by c „ "RNWCPro.ec.ed" 

denser and D , giB ox to the decoder spec.flc information. The DigiBox co„u the 
ey, vector (rv) , ^ ^ J™« *. 

key, IV content iden.if.er are generated automancally. or can be provided as 

command-hne parameters Tt,^^ u ™, , puviueaas 
stream. * IV COntent identifier « <«* for every 

• Content packets are selectively encrypted Inone^h^- 

«*..♦♦• "'-rypiea. m one embodiment, content packets whose 

000 < 500, are encrypted. Thts encrypts approximately one-tenth of the content 
prevent resale. The encrypfon algorithm can be DBS using output-feedback mod. „, 

.0 the stream s h „ , T """^""^ Some informat.on unique 

.he tre^n should a,so be xored into ,h. TV. ,„ 0 „e embodiment, the same IV is used 

packe.s wh.ever two or more streams have packets w,,h the sa^s 1 
Z 1 ' *" PSCke *' * " - » h - - -» *• same 



^^^^r-*r i, ' ,,e,,,fc -- iifc 

rrr .» - Fi ,e 

.504, wh,ch ,„e,udes various ai.erat.ons as described above and as iis.ed in TO 1 

deluding .he incorporate of one or more DigiBoxes in ,h= h 7 

content, modif,ca,io„ of ,he mime .ype, ett ° enCW ' 0n 0 '' he 

.7 FIG^r^T * hem,a *« - Mussed in F,Gs. ,6 and 

17. FIG. 16, llus,ra,es U,es,aMard Real Networks architecture. File Wife, a 
streaming audio file in Real Networks f»m,. rt , , 8 " 

Networks format) ,s prov.ded to Real Networks G2 Client 
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Core 1602. File 1601 may be provided to RealNetworks G2 Client Core 1602 from Server 

1603, or through Direct Connection 1604. 

Upon rece.pt of File 1601, Real Networks G2 Client Core 1602 accesses a 
rendenng plugm appropnate to File 1601, based on informal which is obtained from the 
header associated with File 1 601 . Rendering Plugins 1605 and 1606 are shown If File 
1 601 „ of a type which cannot be rendered by either Rendering Plugm 1 605 or Rendering 
Pugm 1606, RealNetworks G2 Client Core 1602 may attempt to access an appropriate 
Plugm, e.g., by asldng for the user's assistance or by accessing a sue assorted with the 
particular file type. 

Rendering Plug-In 1605 or 1606 processes File 1601 in a conventional manner 
Thts processing most hkeiy mc.udes decompression of File 1601, and may include other 
types of processmg useful for rendenng the content. Once this processing is complete 
(keepmg ,„ mi „d that the content is streamed, so that processing may be occurring on one 
set of packets at the same time that another set of packets i. being rendered), File 1601 is 
passed back to Real Networks G2 Client Core .602, which then passes the information to 
Rendenng Device 1607. Rendenng Device 1607 may, for example, be a set of stereo 
speakers, a television receiver, etc. 

FIG. 1 7 illustrates the manner ,n which a trust plugm operates within the overall 
Real Networks architecture. Much of the architecture illustrated in FIG. 1 7 is the same as 
that .Hustrated in FIG. 16. Thus. File ,701 is provided to Real Networks G2 Client Core 
1 702 through Server 1 703 or through Direct Connection 1 704. The file ,s processed by 
Real Networks G2 Client Core 1 702, usmg P ,ugins,,nclud,ng Rendenng Plugms 1 705 and 
I /U6, and is then passed to Rendering Device 1707. 

FIG. 1 7 differs from FIG. 16 in its incorporation of Trust Plugins 1708 and 1709 
and IRP 1710. When initially registered w.th Real Networks G2 Client Core 1702 Trust 
Plugins 1 708 and 1 709 inform Real Networks G2 Client Core 1 702 that they can process 
content of type RNWK-Protected. Whenever Rea. Networks G2 Client Core ,702 
encounters a stream of th.s type, ,« ,s then enabled to create an instance of the trust plugm 
to process the stream, e.g., Trust Plugm 1 708. It then passes the stream to the trust plugm 
The stream passed to Trust Plugm 1708 may be ,n the format shown in FIG 14 In 
such a case, Trust Plugin 1708 extracts DigiBox 1404 from Media Properties Header 1402 
It also extracts the content ,d and ongina. mime type from Media Properties Header 1402 ' 
The Trust Plugm first checks to see if any other stream with the same content identifier has 
been opened. If so , then DigiBox 1404 is not processed farther. Instead, the key and IV 
from the box for this other stream are used. This avoids the time cost of opening a second 
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y Shanns c ° mew ids ' keys ' - «- - - P** with 

raiLM 8>« ox are used even if another stream with the 
content ident,fier has already been opened. 

If no other stream has been identified with 
I7n«« rv ■« ccni aentihed with the same content identifier, Trust Pluein 

1708 passes DigiBox 1404 to IRP 1710 irp n, n . nisirmgin 
r h„ „ ° may be a software Process running on 

- Real Networks G2 C|iei)t Core Md ^ ~» 

designed to render IRP mOresistanttoattack. 

^'^^P'^agiBoxl^andexrracUcwographrckeyandanlV 
w ten may then be passed ,o Trust P,u gi „ , 708 . TpJst pJ^J > £ ^ " W - 

-formation to decryp, Encrypted Contents .406 

P^C^ "" ° ri6mal mime ~ - Media 

oon,en t («. g ., Rendenilgp , ugIn , 705) Once this is done. Trust Plugin , 708 behaves lik e 

Networks G2 Cent Core 1 702 passes streamed information to Trust P, ugin , 708 whjc „ 
decrypts tha, information and passes it ,o Re„d«„„ g P, ugi „ , :05 Fr ' f 
Real Networks G2 C.ien, Core , 702. Tnist Pluein 70 T „ "^"^ ° f 

rendering plui „, Md tne c0 „ „ ^ " ' 08 <™ *• W*- 

Pi„„- „ac not aware l nat the information is being passed by Trust 

Plugm 1^08 to a second piugin(e.g., Rendering P. ug in 1705) 

anutariy, from the point of view of Rendering Plugin 1705, Trust Plugin ,708 
behaves like Real Networks G2 Client Core 170? tk , u 

operates exactly ae if ti,„ ■ * ' Rendenn g Pl"g>n 1 705 

C In cZ 02 " ^ ^ *» *eal NeKvorks G2 

Client Core I 702. ,„ , hls m!mncr , w fc 

instead be iirst processed by Trust Plusin .7r„! V 
Network, nrr ^ >" ras "'l''Sin 1 708. wtthout requiring any alteration to Real 
Networks G2 Client Core 1702 or Rendering Plugin 1705 

Tnrs, Plugin "»8 may also perform other processing tha, may be helpft, f„ r 
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MP3 Embodiment 

£ |«h„i„ues described above car, a,*, be appiied ,o MP3 s*ea™, g content 

'802. Con,™ ,802 ,s d,v id d ° 0 !' t ^ *- 1801 °~ 

inCude a iarse n^bc of Zes ' ^ *" *" "« ^ 1802 -y 

and 180 r 6ameinC ' UdeSiGOW ' Sma " head "-'— ™- '-H— . .m. , 8 07 

^^^Tr ^ ;rT^ - *' ,, " ,Mv, — - 

m«.h e §-' a URL for a trust plugin, instructions on payment 

or decrypt C os,s To ™ ' rf ' e °' ™" ISeable - WUh0 "' ta *"*W «-» 
b»es ,„ each frJTare ^ * ' ^ l""**" - cos,, „„ ly 32 

be encrypted in every frame m a , ^bodnnent, a different 32 by.es may 

Many alternate embodiments may exist inrl„Hin 0 
i^ion. and usl „ 8 difrerenl t ^™" 8 - « - 

ID3 VI Trailer 1902, including 128 bytes. 
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• Content© 1903, including 16 bvtes Thic JL 

"09. "m^C^lT*"*™ ' 8K ^CudesKey 

watermarking Instructions 1911 w,t^ i- , 

be - » ■ p — ^ ~ ing ,^21 8 raC ' i0 " S '" ' may 

con Sls ,; of "° 5 ' "eof Content m 1903 ^ 
Ira,Ier 1907, which ,s acopy of Trailer 1902 

looldng f„ r ,„e * lra „ * ^ ~* - «« P*t A conventional 
Fir ™ ■„ '"formation w,ll seek 10 the end and find il 

20 tllustrates one embodiment of an MP3 nlaver H«- . 
-der protected content. This ngur e sho „ s MP 3 I« 7^ 

Protected ^ ^TIT ^ ^ ^ 

Hie 2002 may have the format illustrated in FIG. 19 

for the presence of Trasl n, ' ,°° 2 ' "rren checks Protected MP3 File 2002 

returns an indicator that the file is' „ !"* " " 01 *"* ApPr ° Val *«*» »» 

me as a norma, Mp 3 m ™ PTO Pla >* r 2 °°> *- proceeds to render the 

uj ot a tile that has already been opened 

software n^ing in . prottc " ^ '° B? ^ m * 

attempts to op. ^ " « -Per reststance. 2004 

One such tu,e may Cre oTe 7 «- "igiBox 

-en,. ,f U^ZJ^T ^ — * « * ~ 

!904 cannot be opened (e.g., , he user refttses to pay, a value is 
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retumed to Approval Function 2009 indicatin«,th a t»K r, 

played 8 *" fiIe ,s P rotecte d and may not be 

ct;::^^' i::: on,ent ; d 316 - ~ *» 
«^ ful «n« W c 0 rr;r:::rrr; con,en,iDofa,,a ^ o - ed 

App^F-ncUo^O*, edmeft "» ta *P'ay. Sa u t h„ri Z «i is rented ,o 

^^-.w^c^'^.r d cRc " i, -- ,, " 

-cessary, and re*™ ,„ Player 2001 °* C "°° 20 ° 5 ' Wh,Ch ""K* "« »■"« if 
in,e™, ion ^ Approva , " T " *"*" " 

- Dec„ mPrcssor 2007 ;i:„ me ' ^ ,i,,e imo a piayiifl 

C^ m ApplIrace Emb :*3 y - ^ PI*. 3003. 

U- p,ov,ded elMwh I in th^description ~ *"~ «"« " 

In one embodiment, this section will descrihe mn *e 
standard designed to support the associat. o ^ * *° 

assoc.at.on of pers.stent rules and controls with MPEG-4 
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content, as weU as elements necessar, for a Co mm A , 

This is intended, however me relv ,7 * W SUCh COntent - 

mer eiy as an example 

In one embodiment, shown in FIG 23 ea .h r 
CMPS ("Content Management and Pro, !■ o " ApPlianCC 2301 inc,ude * a 

*~ gt heuse of ™ Each CiMPS is responsible 

Each governed digital wnrir ™ 

("CCMPO") used ,o associ.7 ' ^ ' Cbma CMPO 

MPEG-4) may have associated wlm^tTcMPO Each object (or Elementary Stream, in 
object. ' CMP0 """-ng rota, governing , he parlicukr 

CMPS 2302 ma, download a M^T 7" * ** ' ^^"^ «*• 

«*■. conditions re qu .r^°T ™ k »*■* 

sattsfled. CMPS 2302 may 1^ ft * ™ k ' " «« » 

MPEG-4 work may the re a„erTroce= ds a " P ° S " i ° n ""' ° f "» 

««* iocation or bus which 17 ® * MPE °- 4 SH " dart ' *»• «v 

"02 may have the Z ^ ^ *" ^ ~* - C ^ 

information regarding wW AVO " We " 35 * ° bI ™ 

8 tngwhtchAVOswere actually re| eaS ed f or vising 

^ownloadingTccXwlr ^"^ *** *» «* ™* 

MCMPO associated with , he n wo^^ * *> ~ » *W - 

In another variation, a CMPO ma „ u 
«■» MCMPO supplies „ r J^T* °™ - ES. Ln this variation, 

ng d.s.r.b.ned, ^ „_ ^ ^ ^ ^ 
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applying rules and controls to govern the use of content Con, 
supported by one or mnw u , special-purpose Functions may be 

z. cmps : zrrc^ cmps 2302 in * - ° f ° 
™, may alM be desi§ncd so , ha , k b j^^ c °---» 

a seMop box connected ,„ , DVD p laver md „ 7 ^ Applia " ces <•*• 

standalone computer or n,h ? managed d ° Cking e ™ r °nment (e.g., a 

«- envnon^en, 10 fom , * 

nvirunment, (e.g., further one or more PlUPQc ^ 

information, such as f or examole 7 ^ USagC manageme "« 

cn as, tor example, information provided by use of CI) 

An exemplary Commerce Appliance ma vh,»H-c , 
MPEG-4 aandard for the fonpaui J „ ^ '° ^ ^ * «*« 

-^or^o,^^^ 

ta.wser-.ype app„c Mro „ s consisting ^ ^ 
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boxes, etc. ^ QeV,ces incIude bowsers, set-top 

C.«,.« M M , geimilt „„„ PNM- System 

Pafctdar Actions o[CMps ^ ^ ^ — . 

(a) location and interpret ofm , M 

wi.h a work. " ^ °" e ° r m ° re CMPOs 2303 

"-ay identify . panicular work J ^ — * » « of wo*s, a MCMPO 
Object (-AVO-). ° ,dem " V 3 » or Audio Visual 

case of MPEG-4 for ~r ^ d3,a "° W * "» ■««- standard. ,„ ,he 

CMPS 2302 .nay ZT;2:T 2305 ^ " e W <*« *02. 

me content may „ as descnbed by J^" ^ ^ *• - How assoctated with 
(d) Control of content based on rules 

,33 patent ^ZZZ^Z" ^ " " 
CMPS 2302 exercise contmi u SyStCmS ' this re< J uire 

AVOs (perked by Scene Descn>,„r Z^^T"*™***** taW 

Descriptors 2308), scene rendering Jf™!, r ° ^ " ^ 

nng (performed ,n Composite a„d Render 2309) 
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*>cume„,, and in cherp^,^. ' R ^ Pyn81 " COntt< " FmneW '» k " 
proposed in fc Gimer .333 ' < > * »*~« ^ge, such as those 

5.638, «3 ,o Stef*. e, T^^TT T " ^ '~ ^ 

Maker, as described by B^Z? * ** AT * Ts 

"™ oy uiaze, Feigenbaum, and Lacy f5l 11,. m 1... , 
«nal bus Mission as specified by ,he DTDr I * ' 394 

Tecuntcal Working OrJLJl , ° f to DVD C ^ Protection 

rransmmed ustng any secure J, ' C< "'" ,i, " y Pr ° POSi ' n < 6) c °»"° k 

*- J1 J" n § use rules and consequences 
(e) Monitoring use of content 

protect content- and fiii) ,ec„H 7 ' 10 ^ W " h *» ■*»«» °' 

needed for payrnen^L ^ ~* * **** — «*— 

(f) Updating user budgets 

CMPS 2302 may be used ,0 update user or other budgets ,0 reflect usage 

(g) Exhaust information. g 

.0 external processes, tncluding c „ e or raore c 

(h) Hardware tdentification and configuration 

—stral ^ " 

(k) Securely sending and/or receiving user and/™ , r 
attribute information. fiance profiling and/or 

(1) Securely identifying a user or a member of a cIass of u^ „ 
content and/or CMPO and/or CMPS usage. ° reqUCStS 
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apphcauon ^aJZSZy T CMP ° 2301 ^ 2302 

incorporated herein f„ , P3tent plication and as 

- "P-d back ,„ . remote a^o^ s " f ^ ""^ ^ 

c-**-. marten, localjo 7' *"* ™* * ^MPO nghts 

downstream a, g ,,a, ^^TTT ^ '* " CMPS » ' 

responsive for g0 ^ « 0 1 f *** " «** CMK - 

p-,, „, distnbuIe , ir:::* * ^ ,hai «* ■«* 

aforementioned SheaI pate „, app ,J"™f nS » tt • «■> - described in the 

vehide. boat ship, or atrplane. ,h at may com! such as a car, .ruck, sports utility 

— r. through a , leas[ in pm ^ _ ~ P — " * ""^ '"operative 
flexibility and efficiency and*. r ""*' CMFSs - 10 «<« opnmal commercial 

pynght nghts of prov,ders, infrastructure rights of 
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providers soceta, rignts of go _ ^ 
rights of all parties, ncludine con«mi M r r pnvacy 
network of va, U e chain p„l ~ d " U "™' ,m — ""* * 

conseouence „h r, ^ g C °° tt °' USage "^'^ -sage 

orvDE „2 ^ Ca "°" ^ to infoma,to ° « 

In one rt^ta, in FIG. 24, CMPS 240. consists of speciai-purpose 
^wareandrestden.soIWornrmw^ ^ ^ ^ " I"*- 
(a) One or more processors or microcontrollers e.g. CPU 2402 CPU 2dm 

dieted networks such J * 2 ^* ™° ' 

one or more IEEE , 394 sena, bus ~ ^ >~ ™ y - 

2405 m H <C> , Mem0,y 24 ° 5 ' ^ ° f mem ° rieS wteh -» * 0 Memory 

2405- and samples of the information they may store - are the followng- * 

CMPS B,OS 240 8 , <2, .U-cJ^^^, f~" ^ ^ 

v.eniiicates 2412 designed to dentifv CMPS ?4ni .uj • 

formation; (« Hardware SignatJln^ T k ™™ 

needed by CMPS 240,"'^ ^ ^ Mi C ™ « *- 

Object Identification 24,7 „f,K are currently active- (3) Content 

4^*z:«^:zi^r" e, ^ ,,,i - <in - MpK! 

241 8 whirl, P ' *" ,dentlflcation of active AVOs); (4) Rules 
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X 1 T raP0 ?'" " W S ' 0red **- *» relating „ use 

' " ' 2422 ' <9) Ac,,ve CoMCTl Class Information 2423; ami (10) Active User 
.denMcatton 2424, .nc,„ ding identic ch„ c info J.' 

. '»• 2425 (eg., flash manor,). This type of memory may 

ho d whic „ , ^ bm chan8Mbiei . nciudj W ^ may 

«7' ^ SMd0toC °™ OTeU «^ S ^(3)Us er P ref e re oce s 242T 
such as attribution and/or state reformation. 

The types of inflation desenbed above and stored in CMPS Memory 2405 may 

stoL R^ T 7 " re8ardtog ~ m « ™ay be 

stored ,„ ROM, certatr, acttve ,„f„ ma i„„ may ^ ^ <Mo ^ 

Budget ...formation may , nclude stored ^ ^ ^ ^ fc ^ 

(1) electronic cash; 

(2) pre-authorized uses (e e ha***, ^ 

< e>8 -' based on a Prepayment, the user has the right 
to watch 12 hours of programming). 

(3) Security budgets related to patterns reflecting abnormal and/or 
unauthorized usage, f or example, as desenbed in the mcorporated Shear 
patent, wherem such budgets restrict and/or report certain cumu.at.ve 
usage conduct. 

(4) electronic credit, including credit resulting from usage events such as 
attention to promotional material and/or the playing of multiple works 
from one or more classes of works (e.g., certain publisher's works) 
tnggenng a credit or cash refund event and/or a discount on future 
Playing of one or more of such publisher's works, such as other works 
provided by such publisher. 

User information may include the following types of information for one or more 
authonzed users of the Commerce Appliance: 

identifier ^ ^ ^ s ^ty number or other 

selected oass ^ ^ * ^ WWch ^ * «** 

selected password and/or b.ometric data, such as fingerprints, retinal data, etc. 

(3) User public/private key pair 
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(4) User attribute and/or profiling information. 

iv. Removable Memory 2430. This may include any type of 
removable memory storage device, such as smart cards 
floppy disks or DVD disks. If the commerce a p pliance ' is 
designed to play content received on removable memory 
devices (e.g., a DVD player), that capability may be used for 
purposes of the CMPS. 

securny, and/or cryptographic informal* is stored in secure memory wtth corLL 
tnformatton s,ored in an encrypted r3sUm in ^ ^ 

C^S 24 7 reCe ' VKi inf0TOa "° n ' ' nClUdin8 — - CMP °* other 

CMS 240, may also uxlud. a faci lity for encrypting jf such ^ 

b= —d ouaide the „ bomdaries of CMps 240 , ~ - 

or outer externa, repositories; and c„„,e„, sen, actoss ms " 
bu^ „, usage, such as c™te„, sen, ffiEE , 394 ^ ^ 

-cetvtng CMPS may be empteyed to control m , s 

decrypt such comen,, as appropnaK e^,,^ 243^ 7 h 

«d tdenttry and assure the umoueness of CMPSs and support ,he optming of secure 

n , W SKUre Cl0ck ' Cale " da ' 2«4. CMPS 2401 may include Secure 

C ockCa endar 2434 desire. ,o provide abso,u,e mformation regarding th Z and time 

2Z^tlT Back Up 2435. ,. may n.rther mclude Sync 

Mechanrsm 2436 for synchronization wi.h outside ,imin g informal, used ,o recover the 
correct ,,m e . th. event of a power loss, and/or to check for Bering 

(0 Interface 2437 to blocks used for comen, rendering and dtsplay This 

^bac, nformation, wMchmaybeusedfor^enngp^sesorforprovid 7 

which choices the user invoked Ptv ^ i„ .k ^ uispiayea, 

invoked, etc.) In the case of an MPEG-4 player such as is shown in 

SUBSTITUTE SHEET (RULE 26) 



WO 99/48296 

PCT/US99/05734 

-44- 

compose and rend * ^7^"° ^ - 

™g (e.g., Control Lines 23 1 0, 23 1 1 and 23 12) 

AVO object ,s re ,ease4 for viewinVl Z ° 3 """ *° CMPS 2302 - 

AVO objec, 1S no longer J™"^ * — ' «- - CMPS M w„ en „v 

fo , v ie ™ 8 r*.*" ,de " ,i ' ica " 0 " ° r ^ «*- — I* 

. r° dimen " *■ fo " ow,ns pn,,oco1 ™ y * — «- 

start <id>, T, <instaoce numberxclock timexrendering oprjons>" 

Sen, £ STCara < id > is „ jn fc ^ a ^ ^ bm ^ ^ 

I"" <ld> ' T ' < """'" —»■»«** ttaexr^dertug , pnW 

o f p lay (.,, ndennE ^ ^ -* *»— - Md ^ 

™ s impli es ta a U nodes in 1 T <ld> «— ' « 

- be a, ,ar g e as , he number of st J^T " " «"• ™- «- need 

w, 1 .be^ ngf o r _. ifnotl r e ;rr,:orr:r;r if,hecMps 

s^i.teachab.eif.he^,^,,,^^ dth ™' * AV *»» 

»o or more iraanccs of ^ , ' **** "* ~ Wh ~ l "° <«. 
have,ocoun, up . m Uns c J^evt T «»——«*.« 
« -en, ^ " ' "*«- « *e CMPS .„ ma.cn a 

In a second embodiment C\zfP<; ?7n-> 

^-^--.^ 
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device. In this embedment, ^ mua „„ talen ^ ^ ^ 

Amotion, . » Panned in a secure and tamper-resistant manner, despite ,„ use of general 
^rcose harfware. Each rf fc elenraus ^ ^ ^ ^ ^ ^J— 

functions and general purpose device functions: 

(a) CPU/nucroconttoIler. This may include one or more devtces. .f m „ re 
.hano„edev,ce B1 ncl„ded(e.g,aCPUa,daDSP,amam coprocessor oracornm" 

**" may 1,5 mcluded wma - — ~~ -** -» " 

rendered tamper-resistant, or the devices may communicate on a secure bus. The CPU may 

«ure CMPS mode may allow addressing of secure memory iocattons unavailable ,0 the 
pr~«sor ,„ gene™, purpose mode. This may be acomphshed, for example, by circu^ 
wh,ch remaps some of the avai,ab,e mcmay space, so that, h m ^ £, 
canno. address secure memory locations. «.»»u>u 

(b) External communications ports. If ft. device, for example, a Commerce 

P» (enable connection, an Interne, conation,, this communications p^, can be 
Z Ttnr™ "* ' ^ *"-" 10 * «— ■ communications 

::;,^.^ ,oavo ' dor — 

(c> Memory. In some applications and embodiments, i, is possible to 
pe«« a Commerce Appliance without NVRAM, wherein inforn , a „ on 

ROM^Tr 3 ' ^ emP '° y W ° Uld ta I — «** I quired, 

be accomphshed ,„ any of me foUowmg ways, or in a combination of these ways- „, 

-appmg, (2) me entirety of the memory may be rendered secure, so that even pinions of 
me memory bemg used for non-secure purposes canno, be observed or changed elepUn 

an^ aud.ort.ed manner; (3, CMPS information may be stored in an encrypt 
ashion, though this reouires a, leas, some RAM ,0 be secure, since ,he CMPS^couire 
direct access ,0 unencrypted information stored in RAM. ^ 

■nd„H- v <d) ^ ,i0 ^ WSOnOT ^ e En ^™™d decryption (unctions 
including key generation, may be handled bv soecial n™™ a. . 

y s P ec,ai Purpose software running on a general 
P^cse processor a™ 8 emen, particular* for example, a floating point proLsor 7 
OSP arrangement. That processor arrangemen, may also be used for purples of 
decompressmg and displayiug content ^ fc hMdlmg 
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insertion and/or reading. Alternatively, the device may include native encryption and 
decrypts functions. For example, various emerging standards may require at least some 
degree of encryption and decryption of content designed to be passed across unsecure buses 
wufam and among devices such as DVD players, such as the "five company proposal" and 
other IEEE 1394 related initiatives. Circuitry designed to perform such encryption and 
decryption may also be usable for CMPS applications. 

(e) Secure clock/calendar. The underlying device may already require at 
least some clock information. MPEG-4, for example, requires the use of clock information 
for synchronization of Elementary Streams. A secure CMPS clock can also be used for 
such purposes. 

In a third embodiment, CMPS 2302 can be primarily software designed to run on a 
general purpose device which may include certain minimal security-related features In 
such a case, CMPS 2302 may be received in the same channel as the content, or m a side- 
band channel. An I-CMPO and/or other CI may specify a particular type of CMPS which 
Commerce Appliance 2301 must either have or acquire (e.g., download from a location 
speeded by the I-CMPO), or CMPS 2302 may be mcluded, for example, with an I-CMPO 

A software CMPS runs on the CPU of the Commerce Appliance. This approach 
may be mherently less secure than the use of dedicated hardware. If the Commerce 
Apphance mcludes secure hardware, the software CMPS may constitute a downloadable 
OS and/or BIOS which customs the hardware for a particular type of commerce 
application. 

. In one embodiment, a software CMPS may make use of one or more software 
tamper res.stance means that can materially "harden" software. These means include 
software obfuscation techniques that use algorithmic means to make it very difficult to 
reverse engineer some or all of a CMPS, and further make it difficult to generalize from a 
reverse engmeering of a given one or more CMPS. Such obfuscation is preferably 
mdependent of source code and object code can be different for different CMPSs and 
d.fferent platforms, adding further complexity and separation of roles. Such obfuscation 
can be employed "independent./' , 0 both CI, such as an CMPO, as well as to some or all 
of the CMPS itself, thus obscuring both the processing environment and executable code 
for a process. The approach is also applicable for integrated software and hardware 
implementation CMPS implementations described above. Other tamper ^stance means 
can also be employed, including using "hiding places" for storing certain state information 
m obscure and unexpected locations, such as locations in NV memory used for other 
purposes, and data hiding techniques such as watermarking/fingerprinting. 
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Association of CMPS With a Commerce Appliance 

A CMPS may be designed for operation with certain types of content and/or for 
— with certain types of business model , A c^^" ~ 
-^ one ^ eofMSFore _ pieaC _ 

and display content pursuant to different st*^, a P 
format. InaddMo^ aCo^retrl ° eCM?S S °'°^« 

Source of Rules 

panics embodtaen, used: CMPS ' «"» ° f — • «• - *e 

(a) CMPO The ral es may be included wj 
and/or other CI. The CMPO and/or other CI m „ h • ' 
or stream (as e « . h „H T ? ""='"T wra » d *i*i>> * content object 

stream (as. e. 8 „ a header on an MPEG-. ES), and/or may be contained wtthn, . 

n ktch even, „ may no, be encoded as per the underlying s ,a„ dard < a CMps 
recetved as an e„cryp,ed object through a sideband charge!) 

CMPS. e.g„ Ru^ 2 T A CmT" ^ ^ SWred ' 

identifying itself and the general da™ «f .• "wrogntneU 

c general class of control it requires, with the CMPK tt„>„ i • 
particular rules specific to that CMPS. CMPS then applying 
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Rule -primitives- may also be stored witru'n the CMP<: /v. ,, r ,^ 
2410) The rvn>n u „ "™nmine<.MPS(e.g., Control Primitives 

-4.0). The CMPO and/or other CI may invoke tee primitives by mcluding a seouence „«• 
macro-typ, commas, each of which triggers a sconce of CMPS primes 

' C)USer ' n, ' :USerm »'' l ' e Siven,heabil,t y ,ocrea.eru 1 esrelaUng t „ U ,e 
P^cular U se,s preferences. Snch r»,es wi„ g e„era, ly be allowed ,„ further , » 

::r E n : ,o expand ^ use * «— ^ - 

lowed Examples mclude: (a) ru,es design to require ma, certain type, of con,™ 
^ adni, movtes, on,y be accessible after emry of a password atrd/or Zy to It 

« «a body such as a government agency); (b, rules designed to require that only 
P~*r users be allowed to invoke operations requiring p,^, ^ . ^ 
and/or aggregate payment over a certain amount 

The user may be allowed to create templates of rules such as desenbed in the 

CMPS ^angemen, artd/or a particutar CMPO and/or other CI, may restrict the ru 2 1 
user ,s a owed to spec,*. P„ r cample, a C, may spectfy tna, a user can copy a woTkt, 
-to add „,« I0 the woric rcstr]cting , he abUiiy of a JLit^T 
(o to b able ,„ v,ew, b„, only after a payment to the fa, user). User supplied on 7 
mor ntles may govern the use of - ,„c,„di„g priva cy ,^Z__ ^1 

aud„,prolll,ng,preference,and/oranyotherkindofi n f nm ., , • „ 
a consequence of the use of a CMPS L, <e g " " ,f ° nM ' i0n 35 

content) Such ^,° f ; CMPS ^S™- ™"«""S. for example, use of secured 
nte t, Such user supphed one or more rulesean be associated with the user and/or one 
r more Commerce Appliances ,„ . user arrangement, whether or no. the information 7 
aggregated accordmg to one or more criteria, and whether or no, user antl/or app IT 

d i r on ,nfora,a,ion ,s removed •*» zr; 

tfimbunon, or any other kind of use. c P°mng, 
The ability to allow the user to specify rules allows the CMPS to subsume „ 

P-sely wha types of information each viewer w,,, be al.owed ,o „a,ch ( e.g vioL 
co men, can only be displayed after entry of a certain password and/or otne i em eT 

SUBSTITUTE SHEET (RULE 26) 



WO 99/48296 

PCT/US99/05734 

-49- 

"^providing a dil^l ^'^'^^^^^^ 

cou,d be reeved by cerTd! ! * *" "-"•«' *<*". 

aU recent viewer, of a T" ■*-»—"— * *■ -en, provider,.*, 

such as being members^iff^ and/or all members having certain identity characteristics 
Stream. One^r^rn^reCMp^^j^^T^ 6 ^ ^""'P'** 6 ^ together to form an Aggregate 

3 If a Work i! 7 ^ "** WWCh ™* ™*<»» -> Object 

crures may be multiplexed together into an Aggregate Stream nr 
be received separately. ^ssregate stream, or may 

*. ^ «tr™rr ™ mui,ipted ^ im ° - 

S— itseif may b ™ h "** '° "* mU ' Mt ™ 8 - ™» Aggregate 

structures are unencrypted (m me clear) JT "reams/data 
individual streams/Zs Jcrn^ 2 ^ **■ " "« <*> 

S-arn is encrypted ^S^TT H T*"* 
encrypted prior to mu.tipljg, " " 

nixing; or (d, individual rreamr iclT " "°' ^ ^ 

A CMPO may be recetved as par, of an Aggregate Stream or separate*. 
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9. Ifa< ^0 is multiplexed „ MntheA „ mra _ 
nonencrypted. If e„c™ e d i. ma u Stre ™. " ™Y be enoypted „ r 

^«.^^~r~- ,, * ta,i,fc --'' 

*• -.en, (b) a heade, „ h , ch is J^*" "~ y f ™' - 
. . ^ illustrates the following embodiment- 

2305 a, re ^t^ ;~' ng '° - *— » « — - -* in Head, 

accesses a ikm- r,r„*:i w ithin the set-top box 

ccesses a user profile persistently stored in NVRAM »„h ^ , 

4. The CMPS obtains an identifier for the MCMPO « • , 
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oaraHe, ,?! deranXin8 ° f S,ream 2501 »»y occur in 

P- > I Witt, u,e precede step), and obtaills ^ MCMpQ J 

«M— «*» the Aggreg a,e Sttealn ( , g , MCMpo -J^ 

without decrypnng foe entire Aggregate Stream. 

6. TheCMPS idemmesttieESwhichcoas.iru.es .h. MCMPO (eg ES2503! 
T*e CMPS dowrdoads one complete tas)ance ofMCMPO 2506 in* an interna buff „ 
- .h= key received from CCMPO 2504 to decryp. MCMPO 2506 

^506 7 'iJ? CM?S dettm "" eS WhiCh ^ ^ ^ MCMP0 2 506. MCMPO 

,for example, mcludeaiulesutingtha, .he user can view the associated^ 

*e user"' " " ° P " 0 " ! ~ — - «- «» * 

». user. The menu specifies Ule options, i„c,„ d , ng Ihe cost for each 

options may be specified, including payment types. 

9. The user uses a remote control pointing deviee t0 choose ,„ 
lower cost but w th advertisem™.. n.. .„ "reworicata 

aaverasernenls. The user specifies that payment can be made from an 
electronic cash budget stored in the CMPS. 

uiNVRAM. and generates and encrypts a message ,„ a server associated with 

The menage transfers the required budge, to the server, either by nansfe^g e ,J^ 

2z r g a r ciai * m * m ,o ~~ - — ■ ^ 

bTf h ' ™ S ""- «* ^ bC SM " "-»—*. or may be 

buffere to be sen, later (e.g., when the user connects the device to the Internet L step 
may be taken ,n parallel with decryption of the content.) ^ 

U. The CMPS obtains from MCMPO 2506 a set of keys u«d to decrypt the 
E,eme„tao 'Streams ass.ca.ed with the work „,. ES 2502). TV CMPS aJl 

O K PW ^ ^ inCU,dK —«■— • A Scene Descriptor 

process of M^EC T T" ^ " "» ^ 

process of MPEG-4 decoding, compositing a*, Bering men takes place. The Composite 
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^Render block outputs s,an and Stop events f or each objecl ^ for 

CMPS tnonnors thts mformation and compares it M „, expecled ^ 8 

CMP cord™, tha, the advertisements ^ ^ ^ for 

operatton has occupted approximately the expected amount of time 

In another embodiment, a set-top box containing a CMPS (e.g., CMPS 2302 from 

HO. j, may have a cable ,„ pu , (e.g., carryillg M4 B „ ^ 23]4 md 
The cable may cany mutople chapels, each made up of two sub-channels, with „„e su I 
change, caring MPEG-4 ESs «e.g„ M4 Bit Streams 23,4), and the other sub-channel 
carry** CMPOs (e.g., CMPOs 2303). Toe sub-channe, carrying CMPOs 2303 could be 
routed directly to CMPS 2302 with ih» f<! ,k. . ■. • 

r™,.„.- \ with the ES channel bang routed to a decryption block 

Ml under control of the CMPS, e.g., CR4D 23 15), and then to the MPEG-4 buffers 
(e.g.. buffers assocated w,th Scene Descriptor Graph 2306, AVO Decode 2307 and Object 
Descriptors 2308). In this case if th* ce„ „ , J 
> minis case, ifthe ESs are not encrypted, they proceed unchanged 

torn* the decryption block and into the buffers. This may occur, for example, if the ESs 
ar be.ng broadcast for free, with no restrictions, and/or if they are p ub „ c dolin 
mformanon, and/or they were created prior to inclusion of CMPOs in the MPEG-4 

standard. 

rMPO T T anb °*"" m mi8lM "" : "" le ,imi " 8 i"f°""»tion ,n the 

CMPO sub-channel, so that CMPOs can be synchrony with the associated ESs 

The concept of incorporating two separate streams, on. consisting ofcontrol 
■nformatton and connected directly to ,h. CMPS, and the other consisting of ESs, may 

Wes f CMPS s, may be changed without alteration to ,he underlying ES forma. For 
example, i, may be posstbl. to change the CMPO forma, without the necessity for 
reformats content ESs. To take another exampie, it may be possible to upgrade a 
Commerce Apphance by inching a new or different CMPS, without the necessitv for any 
hanges to any of , he circuitry designed to demultiplex, composite and render the content 
ES, A user m,gh, obtain a CMPS on a smart card or outer removable device, and plug tha, 
dev, e mt Commerce Appliance. TO s could be done to customize a Commerce 
Appltanee for a particular application or for particular content. 
CMPS Interface to a CE Device 

A CMPS may be designed to present a standardized mterface between the general- 
P«pose fcncnonality of a consumer electronics device and arty relevant CMPOs aLo, 

—trT C0 "' CM - eXm,P ' e ' 3 CMPS C ° U,d * *— - a -d 
encrypted ESs, and output decrvoted FSc mt« a , L ~ 

uccr yP tea into the device's buffers. In such a case, the 

SUBSTITUTE SHEET (RULE 26) 



WO 99/48296 

PCT/US99/05734 

-53- 

manufacnn-er of the device would be able ,o destgn the device in compliance with the 
speotficatton (e.g., MPEG-4), without concern about commentated extensions ,o ,he 
standard, which extensions ml gh, differ from provide, to provider. AH such exte^ions 
would be handled by the CMPS. 
Initialization 

!■ Initialization of the CMPS 

A CMPS may be used to identify the capabilities of the Commerce 
Apphance in which a CMPS is mstalled. A CMPS permanently associated with a 
pamcular Commerce Appliance may have such information designed-in when the CMPS is 
.nittally installed (e.g., stored in ROM 2406 shown in FIG.24). A CMPS which is 
removable may be used to run an initialization operation in order to obtain information 

^; e ' S ; aPabilitiCS - SUCh ™* *ored in a data structure stored in 

NVRAM 2425. Alternatively, some or all of such information may be gathered each time 
the device is turned on, and stored in RAM 2414. 

For example, a DVD player may or may not contain a connection to an external 
server and/or process. A CMPO and/or other CI stored on a DVD (and/or any other format 
optical disk) inserted into a DVD (or any other format optical disk) player may include 
rules predicated on the possibility of outputting information to a server (e.g., content is free 
>f user identification information is output), or may require a direct connection in order for 
example, to download keys used to decrypt content. In such a case, the CMPS arrangement 
may determine the hardware functionality which is expected by or required by the CMPO 
and compare that to the hardware actually present. If the CMPS determines that the CMPO 
anchor other CI requires a network connection , and that the DVD player does not include 
such a connection, the CMPS may take a variety of steps, including: (1) if the network 
connects is required for some options but not others, causing only those options which 
are possible to be displayed to the user; (2) informing the user that necessary hardware is 
rising, or (3) causing a graceful rejection of the disk, including informing the user of the 
reason for the rejection. 

To take another example, a CMPO and/or other CI may include a business model 
wmch allows the user ,„ choose among quality ,„e| s (or olher bms of of , 

grven work, for example, longer length a„d/or greater options), with a higher price being 
charged ,f the us* selects a higher level of quality (e.g., music may be played a, low 
resolution for free, but re„u,res a payment in order to be played at a higher resolution). In 
such a case, the Commerce Appliance may no, include loudspeakers which are capable of 
outpumng sound a. the higher resolution. The CMPS arrange, preferably identifies 
th,s sttuatton. and either eliminates the higher resolution output as an option for the user, or 
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info™ the user ma, „ is optlon C0SB more bu , prov . dcs no add . , onai 

Commerce Appl.ance, curren, tacionaluy or given ,„e Commerce Appliar.ce no, being 
docked ,„» arra„ 8emem ^ providK ^ ^ 8 

If the Commerce Appliance may be hooked up ,o external devices (e g 
loudspeakers, display, etc,,, the CMPS wil, retire some mecharusm for identifying and 
r=gts«e„„g such devices. Each device may be used «o make standard ,D and capability 
mformanon availaMe a, al, ,i m e s , , her eby allowing , he CMPS to p„U a„ connected devices 
a regularmterv^s. including, for example, authenticating CMPS arrangements w imi „ on e 
or more of each such connected device, Using another approach, »„ devices could be used 
o output CMPS ,de„.ir,ca,.o„ .nformation upon powers, w,,h lafcr connected devices 
bemg used ,o output such information upon establishment of the connect™. Such 

^~ ™> ,akC *■ of authen.ica.ion information 

prov,ded under me "five company arrangement", such au,he„,ica„„„ methods are here, 
incorporated by reference. 

each c T ' COmn,erCe AMianCe ^ * « d » ™"*'= dev,ces 

d a TvT,'" 6 T" CMPS anan8ement S ° VD *~ - * " » • 
IT h 7 CMPSS ^ ta '° "*» — —un.ca.ion (e. 8 

us ng a sch eme for examp,e, like ,he "five company propel for IEEE ,394 serial bus, 

«. determme how me CMPSs wil, in ,erac« w,,h respec, ,o c„„.e nl commumcanon 

between CMPSs and, in certain embod.ments. regardmg cooperate governs of such 

con en, such as describing i„ ,he mcorporated Shear patent app,ica,,on ,„ one 

em^men., the firs, CMPS arrangement ,„ receive contcn, might govern the contro, 

^ocess by dovvnloadmg an mi.ia, CMPO and/o, other C, and d,sp,ay one or more of the 

1 T : ~ 5Kond CMPS arran8eme "' m * *■ * •» - 

uh of changes «„ me contem stream crea,ed by the firs, CMPS arrangement (which 
decked .be come*, and may have allowed demuxmg, c„mposi,io„ and rendermg etc 

comoHc^ a "T iP be ' Wee " ™ ^ ™ PSS — * 

Id I " Cemm aS|KCK ° f MPEG " 4 - * — 

handles other aspects. For example, a DVD player might handle demuxing and buffering 

.r^errmg raw ESs ,o a dig.ta, TV, which .hen handles composition and endcrmg Ts 
IT " SUCh 2 ^ ' here mi8h ' ^ "° *» - «„ 1 

de :„: e r d7 rr CMps cms — 

des,g ed ,o handle sund-alone cases (a DVD ,or any other op,ica, disk) player wr,h a 
CMPS arrangemen, auached ,o a dumb TV w,,h no CMPS), mulnple CMPS arrangement 
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serial bust ,,h» -on-tatting example, via an IEEE 1349 

serial bus) (thai output stream would be encrypted as n~ ,h. -r 

«py protection using IEEE 1394 serial bus """"^ Pr0P ° Sa '" fcr 

between two or more CMP S al, *"* P '° CeSSing 

processing. ^ ^ « » -~ a„, of such 

2 ' '"WmMon of Pim in,larcnnt„r,t „„ w 

which inttiali Jl^JT " T " " " '"^^ 

ma, be a CMPO ^o ^ ~ — " ^ ™* *h 

-*r interpret a particular ^ ZT^T ^ T " 

such as a CMPO ES. received as a U ES 

In one example, shown in FIG. 26, Header CMPO 9*m , , 

information: 2601 may ,nclude following 

(a) Stream/Object/CMPO ,D 2602, which identifies the content 
streams/objects governed by Header CMPO 2601 -a - c 

0 , ■ . ., U 2601 M ^«r identification of CMPOs 

assocated w,th each such content stream or object. 

In one embodiment. Header CMPO 2601 identifies other CMPOs which , ft , • 

associated with such streams In the latter u ^ 

n the latter case ' no other CMPOs may be used 
in one embodiment. Header CMPO o^m u 

MCMPOs. and/o, other CI. ' ° M " CMPOs ' CCMTOs . 

(b) One or CMPO Keys 2603 to, decrypting each identified CMPO 

c«en, steams which make XZ^ZZZZ- " " ^ 

hi <d> '" ^ mbalinKm embodimem. a header CMPO may be 
updatable to contain User/Site Information JfifK ™, j- 

-o nZ ed ,„ use certain content ™" " * ^ 

Sained such authorisation. A ^ cLZ ZZ . ^ ^ * 

™y be stored in RAM or NVRAM ™ s m " ^ ^ 

Thls may include updated information. In one 
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embodiment, the CMPO may also store header PJUPn r 

™c t . ' ,MJ Sl0re header CMPOs for certain works viewed in the 

, m « embodiment, header CMPOs may fce ^ in ^J"^ 

ope ra J;T,^ h "" CMPOemtodiram,0f *^^™--^e r CMPO 

(a) The header CMPO is received by a CMPS arrangemen, In the case of 
received at ^ rei " e ' Ve ^ con ^ en l w hicfi has now become available, the^ header CMPO rnay be 
receiv^atanmputpor, In the case of content which is already available butisno, 
-entlv be,„ e used (e . 8 „ a set-top box with 500 chamtels, of which eithe 0 " beina 
a, any giV e„ ,i m e,, CCMPOs for each Chan., may be bu „e red bv 
arrangement for possible use if the user invokes parted content (e.g switches^ 
particular channel). 1 8 ' swucnes t0 a 

■» either case, me header CMPO must indude information which aliows a CMPS 
arrangement to identify it as a header CMPO. Mfi 

dear in me heal! CWoT b ™°°" heid ,„ ,h. 

statement ha odel information may inciude. for exam*, a 

hi M 7 *" *" if *™"« - inCuded, or f the user 

authors N,e,so„.,ype information, user artd/or audience measurement infrmation f^ 

has authorized M S a " a " gemeM e " her aCCePK ' he **** "><>«"• if -=r 

CMPS arrangement to always accept P ,ay with advertisements for free) rejects the 
busmess mo del. if the user has mstructed tha, the parttcular mode, a,w ys T^L 0 r 

dtsplays the busmess mode, to the use, (e.g., by presenting options on ,he screen) 

(d) ,f a business mode, has been accepted, the CMPS arrangement then 

decrypts the remainder of the header CMPO lf,h.r- angementthen 

„,„„„, ncaaercMTO. If the Commerce Appliance contains a live 

output connection to an external im» r. „ i . 

box etc ) and if T " °°<<™<™. back-channel on a sctop 

box, etc.), and ,f latency problems are handled, decryption of these keys can be handled bv 

oi a secure channel, and receipt of a key from the server If th. r 

one or more keys secureiy stored in the Commerce Appliance 

(e) Once a header CMPO has been decrypted, the CMPS arrangemen, 
accuires information used to identi* and locale the streams contaming the cornel, Id 
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keys which are used to decrypt either rh^ r\Ax>r\, 

decryp, the c„„,e„, itsdf . W C ' CMP0S ' "* "» - - *«* 

(Olnoneembodimem „f this header embodiment, the header CMPO may 
a a dala stracwre for , he storage of informai _ on ^ ^ cwps ™y 

Such information may include the following: 

(0 Identification of user and/or Commerce Appliance and/or CMPS 

~ n ,hi! embodimem ' such infom,a,io " may be — c^T 

o*r to provide an audi, trai, in the even, Uie work (i„c,„din g , he he a d er CMPO) is 

, W I"'' hMd£r CMP ° " ™*"" " ' f->. Such 

infonnatton may be used to allow a user ,„ .ransfer ,he work ,„ „,„„ Commerce 

attT Tf ^ ^'^ PaymeM ° f - i *- «• *«* «-*" are 

lowed by information associated w,, h the header CMPO. For example, a user may 

CMPS arrangement downloads a header CMPO from ,ha, cable service, me CMPS 
arrangement may store the user's tdentification in ,he header CMPO The CMPS 
arrangement may then ,eau,re tha, me up da tt d header CMPO be tnclnded if the content is 
copted or .referred. The header CMPO couid include . ^ staling |ha , _ 
m^atton has been HHed in, the associated .nten, can only be viewed by tha, JT 
by Commerce Appliances associated with tha, user. This would aliow the user to 
make m ul „pfc copies of the work, and ,o dis play me work on muUipie C _ 

t^lT ' 7 C0P ' eS "° l - diSP,a - d » — users anoVor 

s<a,mg that the user intorma.ion can only be changed by an au,hon Z ed use, (e g ifuser I 
transfers the work to user 2 user 2's rvips , m 

the header CMPO ,h k ,7 ^emen. can update me user information ,n 

the header CMPO, thereby allowtng user 2 to view the work, bu, only if user 2 is also a 
subscriber to the cable channel). ' -' sals »a 

•,-.„■,. <2> ldemi " Ca ' i0n ° f P m ""lar rules options governing use. Rule 
» .ncluded ,„ header CMPOs may include opttons. ,„ certain cases, exercise of a 
panicu ar „ p „o„ might preclude ,a,e r exercise of a different op,,o„. For exampie a user 
™ 6 h. be given the choice to view an unchanged work for on. price, or to Chang 'a wT 
^ «• ** **** work for a higher price. Once the user decides to change * w 
-d view the changed work, this choice is preferably stored in the header CMPO. since L 
o on of vtewtng the ongina, changed work a, the lower price ,s no ionger avai J 
The user might have further ac q uired me right, or may now be presented w ,h the option for 
•he ngh, to runher distribute the changed work a, a mark-up in cos, resu„i»g i„ th" 
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derived revenue and usage information flowing to both the «^ . h A • 
stakeholders). USer 3,1(1 the on 8 inai w ork 

made, since a rule associated with , he work ^ ... "* " ^ te bee " 

bac kup Md/or limeshifting puipos ; *r y a s,n8,e copy (e - g - for 

nghr ,„ view a work one tie TT eXan,Ple • 3 migh ' 0toi " 

Ptoses. Snch information may 1 te ^ " «" 

to an external server. For example a rule , " rtp0rttd 

Conttn, Manager.™. Pro.ec.ion Objects (CMPO) 

The Conlen. Management and Protection Object ("CMPO-1 i« , ,. . 
which includes i„ fonlla , ion used bv t „ e CMps J J ™'° > 15 a <*■ -«-» 

mdudereceiptthrongh a separator, ^ ^ ^ f ~ « may 

se.ectio'^Ierrr"' 5 r a88re8a,i0 " ^ ^ ta « * 

cab,e teievL!;:™!:- S " e - M 3 " de0 " ^ °° — = 

cons„: d ';i:!: ™ ; ::r audio - v,suai - ,exiua ' ° r — <° * 

v icwcu, reaa, etc.) by a user as an inteerateH u,h rt u a 

sophisticated videogame A work mav ■ example, as 

*.u S <une. a work may incorporate other wnrt-c. « f » 
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associated 

the sound,™, for a It- . J£l * H «"* " ° bje " 

definable portion. ^ '" * V ' de ° 8anK ' or logically 

CMPol emb<Xl '" ,en, mKha " iSm f °' «* —1 - • CMPO or 

C ' VIP0 (which comprises one o, m „ reCM PO sa „H T , ... 

cooperating CMPOs). CMPOs and CMPO a W ° S ' and ' f plural ' <""""• 

with a Channei CMPO arT anangements may be organized hierarch.callv, 

MCMPO 71 sTcmpo ,n,P<>Sin8 ™ e 10 a " «>*. • 

CMPO arT S0CMP ° ' mf ° Sm S H**h '° all objects within a „„ rk , a„ d . 
CMPO arrangement , m pos,„ g „,,« applicable t0 , ^ 

In one embodiment, illustrated in FIG 27 a TMPq 
CCMPO 2701 ma v i may downloa d CCMPO 2701 

CCMPO 270. may include one or more Rules 2702 applicable to all content in the 
channel, as well as one or more Kevs 2701 »*»a <■ a • content in the 

-id/or SGCMPOs MCMPO 270 ^ ° f ^ " m MCMPOs 

and/or works one or mo ^ ^ ^ 2705 3PP,iCable t0 3 - k 

nc ude Keys 2706 used to decrypt CMPOs. CMPO 2707 may include Rules 2708 
app^cab e to an individual object, as we,, as Key 270 9 used to dec.pt the ob. 

As long as a „ objects are subject to control at some level ther, ■ 
that each object be individually controlled For Trn " "° reqU ' rement 

** socmpC ° c z: t;: i:~ y * !or mcmpos 

MCMPOs sr.riuo^ „ 1 In one emb °diment, 

ivi^Ait^us, bGCMPOs. and CMPOs rnnW k~ a- _. • , 

Kevs 2706) b„. - , "" 8 ' nC ' Ude USed "> de 'W ™POs (..„ 

709 used ,„ decrypt an object, bu, migh, incl ude no additiona. Rules 2708. ,„ certain ' 
embod.ments, there may be no SGCMPOs. 

"™ (e.g., the CMPO may be pan of a header in an MPEO-4 ES ) A CMPO m „v k 
— within its owt, dedtcated da,a suture speci„ed by a rCe™ 
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CMPO ES). A CMPO may be contained v.thin . data structure „ M fied by 
content standard (eg., a CMPO contained within a DigiBox). 
A CCMPO may include the following elements: 

(a) ID 2710. This may take the following font,: <channel ID>< CMPO 

ccCpT 0 T vers,on number> - * e case of hi ™ cmpo — <«* 

CCMPOs controlling MCMPOs conttoUing CMPOs). CMPO ID 2711 can include one 
field for each level of the hierarchy, thereby allowing CMPO ID 271 1 to specify the 
location of any particular CMPO in the organization. ID 2710 for a CCMPO may fo, 
example be ,23.000-000. ID 27,2 foraMCMPOofa work within that channel may fo , 
examp,e. be , 23-456-000. thereby allowing the speciftcation of , .000 MCMPOs as 
controlled by the CCMPO identified as • ,23.- CMPO ID 2711 f or a CMPO assoctated 
with an object within the particular work may, fo, example, be 123-456-789. thereby 
allowing the specification of 1,000 CMPOs as associated with each MCMPO 

CMPn ""J"*? ° f SPeCilVi " 8 CMP ° ' DS *"*> C °" ve ^ *• ™» of any 
CMPO within a hierarchy of CMPOs. For cases in which higher levels of the hierarchy do 

of h T ^ ' MCM?0 "° aSSOCU,ed CCM " 0> ' "» **> ™" L. 

of the hierarchy may be specified as zeroes. 

(b) Rules 2702 applicable ,„ all content in the channd. These may be self- 
contained ru!es, or may be pointers to rules obtainable elsewhere. Rules are optional a, this 

comn,v ,b „ <C> I'"'™ 3 " 0 " 3 deSigTCd fM diSP ' ay in ' he «- *» -» » — * >o 
cm I h , he ra|K (e g _ u advmisement screen jnfom]ing te ^ ^ ^ 

<s available at a certain cost, and includ.ng a lis, of content available on the channel) 
rr, ID n , ^ f °' 01 each MCMt>0 ™«°><* ^ this 

MCMPOs 1 CCMP ° '""^ "* ° f m0 ' e Wh ' Ch d '<™ °» 

MCMPOs. In an alternate embodiment the CCMPn .wi,.^ 

for each MCMPO. ° M " ™ K ^ ^ 

(e) A specification of a CMPS Type (2714), or of hardware/software 
necessary or durable to use the content associated with this channel 

MCMPo" COm " S ° f 3 MCMP ° ^ ^ S ' miIar l ° th ° Se ° f 3 CCMP °- ™* *« ^ 
MCMPO may .nc.ude rules applicable to a single work, and may identify CMPOs 

associated with each object. 

the C Jo COnte '": ^ CMP ° ^ ^ Similar '° ' h0Se ° ! *° MCMP °. -=P- - 
•he CMPO may include rules and keys applicable to a single object. 
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The contents of an SGCMPO u • •, 

^ tMPU ma y be similar to those of tho rriupn 
the MCMPO mav inMnH* „ i <-<~MPO, except that 

certa, one aZ^^T^ " ^ ^ ~ " ^ ^ 

user arrangement e CM o * ^ " ^ ^ Cta ~ ° f 

angements (e.g. CMPO arrangements and/or their devices) 

In another embodiment, shown in FIG ?8 CMPO n a , a c. 
defined as follows: * StmCtUre 2801 ma y be 

contame^ 2801 " ^ " * ^ EaCh ^ a self- 

earned ,tem of mformat.o. The CMPS parses CMPO Data Structure, one Cement at a 

Type Element 2802 identifies the data structure as a CMPO the k „ • 
CMPS to distinguish it from a content ES i„ T * ^ 

induce 4 bits, each of which ma y T e 0 ToT ^ «<™ 
CMPO. /"ay be set to 1 to .nd.cate that the data structure is a 

The second element is CMPO Identifier ?«m u- u • 

particular CMPO ,„h . ,Ch ' S USed t0 identi *V this 

Faxucuiar CMPO and to convey whether the r\Ai>r\ ■ 

CMPO »w a ,- ,rSt sub - e,ei nent (2803 A) identifies the 

CMPO type, and indicates whether the CMPO ic o ^ "iunes tne 

CMPO: 8 en,ed ° r contr£ >Ued by any other 

HO: is . m id,evel CMPO, and is COTOoIled by . CMpQ 

011: .h,s ,s a low-level CMPO, and is comrol led by a mid-level CMPO h „ 
a top-level CMPO. <-MPO, but not by 

HI: this is a low-level CMPO, and is controlled by a ton-level CMPn , u 
mid-level CMPO. CMPO and by a 

The second sub-element of CMPO in ?sm <v u i 
CMPO. ,„ d* case of a ,„p,eve, C M P o I ' T " * 

CMPO. In ,„e case ofa J ' ' *" " * *• —of .he 

case „, a m ,d.,evel or low-level CMPO which ,s co„, ro „e d bv . lop , evd 
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CMPO, this sub-ele m ent contains the identificatton of the top-level CMPO H „ , 

such control. ,„ the case of . mid , eve| or C J°^ 

top-level CMPO, this sub-ele.ent contains zeroes " "* C ° mr ° lled * 3 

cmpo. t °t° id 2803 (sub - eiement c) ^ * ~ 

a m id-,evel CMPO 1 ^ ' " — "~ ta "» - of 

Che case of a ^1^0^ ^ ** ° f ^ ^ ™ P0 *» 

contatns *e J^^^ I' C ° ntr ° 1,ed * 3 ^ "* «^"« 

lucnuncation of the mid- evel CMPO »;h;^u r 

case of. low-level CMPO which • "* * SUCh C ° mn " ln "» 

level CMPO which is not controlled by a mid-level CMPO thic i., 
contains zeroes. LMPO, this sub-element 

The fourth sub-element of CMPO ID 7Sm/.„k . 
CMPO. In the case of a ,„„ i , <S"b-elemen. D) identifies a low-level 

■n me case ota. op-level or mid-level CMPO this s,,h„l_ . 
In the case of a low-level CMPO .hi, < h , ™b-eleme„, con.a,„s zeroes. 

particular CMPO. " ,eM id ™ fl -'°" 

cmpo itrt rirr element is size Ekmm 2804 - - 

CMPO. The CMPS may Z .1 il " ^ " a " era,i °" S " -* » * 

been altered without perl sTi '° "^""^ " tal » "* El ™<™ 

For such purpolTe ™ ' " al " ra,i °" ~* " 

pro.ec.ed daZ' This IrTT inf0m,a "°" « * «* *"«". ,„ , 

has been received ^^TT.*" * ^ » «« * ™* CMPO 

FoUowin, Size el se:: '° ^ °" emPt '° — " ** 

co„,aini„ g owJship ™d ch " ^^P^""' Eleme„,s 

include a specific identilier associated w„ 72 « ^'7' ^ ™> 
be ide„,i fi ed ,„ following elemems ,e g , 806 4 F ^ ™ y * 

idenufy the creator of .he CMPO Eleme'n, T m I ? ^ 2805 <° M 

no chain of ownership info "pr *" ^ 

Perm,. ^J^J^ " " — * C ""» ™ 

«... - user, ide„,,„c^ mTb tddedT^T " ^ " ^ 

may be added as a new elemen, in the chain of ownership 
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elements (e.g., a new element following 2807. but before 2808) TV 

point of purchase or mav K. r , ' hjS may be done at the 

- *. cmp S d ; e r:: s ::r p,,s ed by ,he cmps - cmp ° ™> - «— 

NVRAM. 3 ^ S,raC,ure "y 'h= CMPS in 

-* CMPS which has ,^ Md ^ ^Tj" " - * 

for audi, purposes, to aUow „ traj , J " CMPS ' ^ '" f °™a.,on may be used 

been c lr eula t ed i mpr0 pe rlv Sue 7 ' "°* " """"^ » "»« 

improperly. Such information may also be rpn nrt »^ 

clearinghouse or central server Chv ffc „, P 38 eXhaUSt t0 3 

specified amount (e a twenrv «™ , information exceeds a 

^.g., twenty separate user identifiers) a CMPS m o 

rurther processing of CMPO 2801 or th. y ^ * aU ° W 

connected to an LJZT' h ^ ^ CM?S haS b ^ 

The last e.eZ T ^ ^ ** *** ° f ' nfo ™-- " 

ihe last element m the chain ofhandling elements feu ?m,r ,,• 
this group of elements. The contents of .hi, ° ' ^ ^ ° f 

contents of this element may, for example, be all zeroes 

„i 7 to authenticate the CMPO tu r i 

element in the dicntil r*rt.-f;„ * i_ lIIC ^ 1V *^U. I he fina^ 

uie aigital certificate chain is all zeroes (^R\d\ rr ^ ■ . 

P-n, a sin B ,e elemen, „ f a „ 2eroes _ „ ~ » — ,s 

idemifled bv a specific iden.iH, H . " ° bjeC ' ° r CMP ° » 

found (e. g ^e ly e ' 3 ^ « ™PO may be 

vcg., mese may be stored in locations 2815 ™rO«i7\ n „ 

may be one or more k ey s used ,o CtL 7 "* 

locations 2816 and 2818) TW. pm ' * CMP0 or ob J ect (*6 .stored in 

™°e up of a,, ,elZ " " ° f '^'"^ - • —on elemen, 

--ofrneconL.ob^^ 

(e.g., locations 28 1 5 and 4,7, r 7 '" ° bjK ' s chai " 

■5a„d_817). Exemplary rules are desenbed below. Elemems may 
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contain explicit nties or may comain poi„,ers „ rn.es stored elsewhere CoBd| ^ 
nclnde pa^a, hardware resources ^ ,„ ^ «* 

n T " Wes ° f CMPS ' ! * h " » " ~ - 

ot the associated content objects. 

Etaenltr 8 rU ' eS,COn,r0,S ^ C ° nd " i0nS elra ^ * a « 
Element 2823 con,a, m „g lltfornlatlon spedfUd by fc ^ 

contents, suck info™,™ may include content , or ^Jff 
pointers to programming. g ' 

The CMPO ends with Final Termination Element 2824 

In one embodiment, the rules contained in Rules Elements 2820-2822 of CMPO 
2801 may include, for example, the following operations: 

(1) Play. This operation allows the user to play the content (though not to 
copy it) without restriction. 

(2) Navigate. This allows the user to perform certain types of navigation 
fcnc o ns mcluding fast forward/rewmd, stop and search. Search may be indexed or 
unindexed. 

be „„ j c COPy ' C ° Py ^ " a " OWed °°« <'■«•• time-shifting, archiving), may 

2:; 3 * allowed for " un,imi,ed ^ ° f - - - — 

that a Copy „pe,a„o„ may cause „ updat£ „ M ^ 

d,ca„o„ , hal ,he associa,ed con.en. has been cop,ed. identifying , he da ,e of copL and 
he sue respond fo , making , he ^ wllhout chan 
omen, o^ec. a „d in particular ^ ^ ^ ^ 

demuxed decked or decompressed. ,„ the case of MPEG-4. for exampic. ,his may 
requtre the following multi-stage demux process: 

(Qlhe CMPS arrangement receives a Copy instruction from, he 
user, or from a header CMPO. 

(ii) CMPO ESs associated with the MPEG-4 stream which is to be 
cop.ed are separated from the content stream in a first demux stage. 

Th, rvfPn u (iH) CMP0S dCCryPted and Updated ^ CMPS arrangement. 

IITZT remuxed with * e content ESs (which have never been d — d 

each other), and the ent.re stream is routed to the output port without further alteration 

Thts process allows a copy operation to take place without requiring that the 
content streams be demuxed and decrypted. It requires that the CMPS a^angement mclude 
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two outputs: one output connected to the digital output port (e.g., FIG. 23 line 23 16, 
connecting to Digital Output Port 2317), and one output connected to the MPEG-4 buffers 
(e.g., FIG. 23, lines 2310, 231 1, 2312), with a switch designed to send content to one 
output or the other (or to both, if content is to be viewed and copied simultaneously) (e.g., 
Switch 23 1 9). Switch 23 1 9 can be the only path to Digital Output Port 23 1 7, thereby 
allowing CMPS 2302 to exercise direct control over that port, and to ensure that content is 
never sent to that port unless authorized by a control. If Digital Output Port 231 7 is also 
the connector to a digital display device, CMPS 2302 will also have to authorize content to 
be sent to that port even if no copy operation has been authorized. 

In one example embodiment, the receiving device receiving the information 
through Digital Output Port 2317 may have to authenticate with the sending device (e.g., 
CMPS 2302). Authentication may be for any characteristic of the device and/or one or 
more CMPSs used in conjunction with that device. Thus, for example, a sending appliance 
may not transmit content to a storage device lacking a compatible CMPS. 

In another non-limiting example, CMPS 2302 can incorporate session encryption 
functionality (e.g., the "five company arrangement" ) which establishes a secure channel 
from a sending interface to one or more external device interfaces (e.g., a digital monitor), 
and provided that the receiving interface has authenticated with the sending interface, 
encrypts the content so that it can only be decrypted by one or more authenticated 1394 
device interfaces. In that case, CMPS 2302 would check for a suitable IEEE 1 394 serial 
bus interface , and would allow content to flow to Digital Output Port 23 1 7 only if (a) an 
authorized Play operation has been invoked, a secure channel has been established with the 
device and the content has been session-encrypted, or (b) an authorized Copy or Retransmit 
operation has been invoked, and the content has been treated as per the above description 
(i.e., the CMPO has been demuxed, changed and remuxed, the content has never been 
decrypted or demuxed). 

This is only possible if CMPOs are separately identifiable at an early demux stage, 
which most likely requires that they be stored in separate CMPO ESs. If the CMPOs are 
stored as headers in content ESs, it may be impossible to identify the CMPOs prior to a full 
demux and decrypt operation on the entirety of the stream. 

(4) Change. The user may be authorized to change the content. 

(5) Delete. This command allows the user to delete content which is stored 
in the memory of the Consumer Appliance. This operation operates on the entire work. If 
the user wishes to delete a portion of a work, the Change operation must be used. 

(6) Transfer. A user may be authorized to transfer a work to a third party. 
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This differs from the Copy operation in that the user does not retain the content or any 
rights to the content. The Transfer operation may be carried out by combining a Copy 
operation and a Delete operation. Transfer may require alteration of the header CMPO 
associated with the work (e.g., adding or altering an Ownership/Control Element, such as 
Elements 2805-2807 of FIG. 28), so as to associate rights to the work with the third party. 
These basic operations may be subject to modifications, which may include: 

i. Payment. Operations may be conditioned on some type of user 
payment. Payment can take the form of cash payment to a provider (e.g., credit card, 
subtraction from a budget), or sending specified information to an external site (e.g., 
Nielson-type information). 

n. Quality of Service. Operations may specify particular quality of 
service parameters (e.g., by specifying a requested QoS in MPEG-4), including: requested 
level of decompression, requested/required types of display, rendering devices (e.g., higher 
quality loudspeakers, a particular type of game controller). 

in. Time. Operations may be conditioned such that the operation is 
only allowed after a particular time, or such that the price for the operation is tied to the 
time (e.g., real-time information at a price, delayed information at a lower price or free, 
e.g., allowing controlled copies but only after a particular date). 

iv. Display of particular types of content. Operations may be 
conditioned on the user authorizing display of certain content (e.g., the play operation may 
be free if the user agrees to allow advertisements to be displayed). 

In all of these cases, a rule may be modified by one or more other rules. A rule may 
specify that it can be modified by other rules or may specify that it is unmodifiable. If a 
rule is modifiable, it may be modified by rules sent from other sources. Those rules may 
be received separately by the user or may be aggregated and received together by the user. 

Data types which may be used in an exemplary MPEG-4 embodiment may include 
the following: 

a. CMP Data Stream. 

The CMP-ds is a new elementary stream type that has all of the properties of an 
elementary stream including its own CMPO and a reference in the object descriptors. Each 
CMP-ds stream has a series of one or more CMP Messages. A CMP_Message has four 
parts: 



1. Count: [l...n] CMPS types supported by this IP ES. Multiple CMPS 
systems may be supported, each identified by a unique type. (There may have 
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to be a central registry of types.) 

2. CMPS_type_identifiers: [1 ...«] identifiers, each with an offset in the 
stream and a length. The offset points to the byte in the CMPO where the data 
for that CMPS type is found. The length is the length in bytes of this data. 

3. Data segments: One segment for each of the n CMPS types encoded in a 
format that is proprietary to the CMPS supplier. 

4. CMP_Message_URL: That references another CMP_Message. (This is in 
keeping with the standard of using URLs to point to streams.) 

b. CMPO. 

The CMPO is a data structure used to attach detailed CMP control to individual 
elementary streams. Each CMPO contains: 

1. CMPOJD: An identifier for the content under control. This identifier must 
uniquely identify an elementary stream. 

2. CMPO_count: [1 ...«] CMPS types supported by this CMPO. 

3. CMPS_type_identifiers: [1 ...n) identifiers, each with an offset in the 
stream and a length. The offset points to the byte in the CMPO where the data 
for that CMPS type is found. The length is the length in bytes of this data. 

4. Data segments: n data segments. Each data segment is in a format that is 
proprietary to the CMPS supplier. 

5. CMPO_URL: An optional URL that references an additional CMPO that 
adds information to the information in this CMPO. (This is a way of 
dynamically adding support for new CMPSs.) 

c. Feedback Event 

The feedback events come in two forms: start and end. Each feedback event 
contains three pieces of information: 

1. Elementary_stream_ID 

2. Time: in presentation time 

3. Objectinstancenumber 
User Interface. 

Commerce Appliance 2301 may include User Interface 2304 designed to convey 
control-related information to the user and to receive commands and information from the 
user. This interface may include special purpose displays (e.g., a light which comes on if a 
current action requires payment), special purpose buttons (e.g., a button which accepts the 
payment or other terms required for display of content), and/or visual information presented 



on screen. 
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Example of Operation in an MPEG-4 Context 

1. User selects a particular work or channel. The user may, for example, use a 
remote control device to tune a digital TV to a particular channel. 

2. Selection of the channel is communicated to a CMPS arrangement, which uses 
the information to either download a CCMPO or to identify a previously downloaded 
CCMPO (e.g., if the CMPS arrangement is contained in a set-top box, the set-top box may 
automatically download CCMPOs for every channel potentially reachable by the box). 

3. The CMPS arrangement uses the CCMPO to identify rules associated with all 
content found on the channel. For example, the CCMPO may specify that content may 
only be viewed by subscribers, and may specify that, if the user is not a subscriber, an 
advertisement screen should be.put up inviting the user to subscribe. 

4. Once rules specified by the CCMPO have been satisfied, the CCMPO specifies 
the location of a MCMPO associated with a particular work which is available on the 
channel. The channel CMPO may also supply one or more keys used for decryption of the 
MCMPO. 

5. The CMPS arrangement downloads the MCMPO. In the case of an MPEG-4 
embodiment, the MCMPO may be an Elementary Stream. This Elementary Stream must be 
identifiable at a relatively early stage in the MPEG-4 decoding process. 

6. The CMPS arrangement decrypts the MCMPO, and determines the rules used to 
access and use the content. The CMPS arrangement presents the user with a set of options, 
including the ability to view for free with advertisements, or to view for a price without 
advertisements. 

7. The user selects view for free with advertisements, e.g., by highlighting and 
selecting an option on the screen using a remote control device. 

8. The CMPS arrangement acquires one or more keys from the MCMPO and uses 
those keys to decrypt the ESs associated with the video. The CMPS arrangement identifies 
two possible scene descriptor graphs, one with and one without advertisements. The CMPS 
arrangement passes the scene descriptor graph with advertisements through, and blocks the 
other scene descriptor graph. 

9. The CMPS arrangement monitors the composite and render block, and checks to 
determine that the advertisement AVOs have actually been released for viewing. If the 
CMPS arrangement determines that those AVOs have not been released for viewing, it puts 
up an error or warning message, and terminates further decryption. 

CMPS Rights Management In Provider And Distribution Chains 

In addition to consumer arrangements, in other embodiments one or more CMPSs 
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may be used in creating, capturing, modifying, augmenting, animating, editing, excerpting, 
extracting, embedding, enhancing, correcting, fingerprinting, watermarking, and/or 
rendering digital information to associate rules with digital information and to enforce those 
rules throughout creation, production, distribution, display and/or performance processes. 

In one non-limiting example, a CMPS, a non-exhaustive example of which may 
include a least a secure portion of a VDE node as described in the aforementioned Ginter et 
al., patent specification, is incorporated in video and digital cameras, audio microphones, 
recording, playback, editing, and/or noise reduction devices and/or any other digital device. 
Images, video, and/or audio, or any other relevant digital information may be captured, 
recorded, and persistently protected using at least one CMPS and/or at least one CMPO. 
CMPSs may interact with compression/decompression, encryption/decryption, DSP, digital 
to analog, analog to digital, and communications hardware and/or software components of 
these devices as well. 

In another non-exhaustive example, computer animation, special effects, digital 
editing, color correcting, noise reduction, and any other applications that create and/or use 
digital information may protect and/or manage rights associated with digital information 
using at least one CMPS and/or at least one CMPO. 

Another example includes the use of CMPSs and/or CMPOs to manage digital 
assets in at least one digital library, asset store, film and/or audio libraries, digital vaults, 
and/or any other digital content storage and management means. 

In accordance with the present applications, CMPSs and/or CMPOs may be used to 
manage rights in conjunction with the public display and/or performance of digital works. 
In one non-exhaustive example, flat panel screens, displays, monitors. TV projectors, LCD 
projectors, and/or any other means of displaying digital information, may incorporate at 
least one hardware and/or software CMPS instance that controls the use of digital works. A 
CMPS may allow use only in conjunction with one or more digital credentials, one example 
of which is a digital certificate, that warrant that use of the digital information will occur in 
a setting, location, and/or other context for public display and/or performance. Non-limiting 
examples of said contexts include theaters, bars, clubs, electronic billboards, electronic 
displays in public areas, or TVs in airplanes, ships, trains and/or other public conveyances. 
These credentials may be issued by trusted third parties such as certifying authorities, non- 
exhaustive examples of which are disclosed in the aforementioned Ginter "712 patent 
application. 
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Additional MPEG-4 Embodiment Information 

This work is based on the MPEG-4 description in the version 1 Systems Committee 
Draft (CD), currently the most complete description of the evolving MPEG-4 standard. 

This section presents the structural modifications to the MPEG-4 player architecture 
and discusses the data lines and the concomitant functional changes. Figure 23 shows the 
functional components of the original MPEG-4 player. Content arrives at Player 2301 
packaged into a serial stream (e.g., MPEG-4 Bit Stream 2314). It is demultiplexed via a 
sequence of three demultiplexing stages (e.g., Demux 2305) into elementary streams. 
There are three principle types of elementary streams: AV Objects (AVO), Scene 
Descriptor Graph (SDG), and Object Descriptor (OD). These streams are fed into 
respective processing elements (e.g., AVO Decode 2307, Scene Descriptor Graph 2306, 
Object Descriptors 2308). The AVOs are the multimedia content streams such as audio, 
video, synthetic graphics and so on. They are processed by the player's 
compression/coding subsystems. The scene descriptor graph stream is used to build the 
scene descriptor graph. This tells Composite and Render 2309 how to construct the scene 
and can be thought of as the "script." The object descriptors contain description information 
about the AVOs and the SD-graph updates. 

To accommodate a CMPS (e.g., CMPS 2302) and to protect content effectively, the 
player structure must be modified in several ways: 

• Certain data paths must be rerouted to and from the CMPS 

• Certain buffers in the SDG, AVO decode and Object descriptor modules must 
be secured 

• Feedback paths from the user and the composite and render units to the CMPS 
must be added 

In order for CMPS 2302 to communicate with the MPEG-4 unit, and for it to 
effectively manage content we must specify the CMPO structure and association protocols 
and we must define the communication protocols over the feedback systems (from the 
compositor and the user.) 

The structural modifications to the player are shown in Figure 23. The principal 
changes are: 

• All elementary streams are now routed through CMPS 2302. 

• Direct communication path between Demux 2305 and CMPS 2302. 

• A required "Content Release and Decrypt" Module 23 1 5 in CMPS 2302. 
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• The addition of a feedback loop (e.g., Line 23 1 3) from Composite and Render 
2309 to CMPS 2302. 

• Bi-directional user interaction directly with the CMPS 2302, through Line 23 1 6. 
Furthermore, for M4v2P, CMP-objects are preferably associated with all_elementary 

streams. Elementary streams that the author chooses not to protect are still marked by an 
"unprotected content" CMPO. The CMPOs are the primary means of attaching rules 
information to the content. Content here not only refers to AVOs, but also to the scene 
descriptor graph. Scene Descriptor Graph may have great value and will thus need to be 
protected and managed by CMPS 2302. 

The direct path from Demux 2305 to CMPS 2302 is used to pass a CMPS specific 
header, that potentially contains business model information, that communicates business 
model information at the beginning of user session. This header can be used to initiate user 
identification and authentication, communicate rules and consequences, and initiate up- 
front interaction with the rules (selection of quality-of-service (QoS), billing, etc.) The 
user's communication with CMPS 2302 is conducted through a non-standardized channel 
(e.g., Line 2316). The CMPS designer may provide an independent API for framing these 
interactions. 

Feedback Path 2313 from Composite and Render block 2309 serves an important 
purpose. The path is used to cross check that the system actually presented the user with a 
given scene. Elementary streams that are processed by their respective modules may not 
necessarily be presented to the user. Furthermore, there are several fraud scenarios wherein 
an attacker could pay once and view multiple times. The feedback path here allows CMPS 
2302 to cross check the rendering and thereby perform a more accurate accounting. This 
feedback is implemented by forcing the Composite and Render block 2309 to issue a start 
event that signals the initiation of a given object's rendering that is complemented by a stop 
event upon termination. The feedback signaling process may be made optional by 
providing a CMP-notification flag that may be toggled to indicate whether or not CMPS 
2302 should be notified. All CMPOs would be required to carry this flag. 

The final modification to the structure is to require that the clear text buffers in the 
AVO, SDG and Object Descriptor processors and in the Composite-and-Render block be 
secured. This is to prevent a pirate from stealing content in these buffers. As a practical 
matter, this may be difficult, since tampering with these structures may well destroy 
synchronization of the streams. However, a higher state of security would come from 
placing these buffers into a protected processing environment. 

CMPS 2302 governs the functioning of Player 2301, consistent with the following: 
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• Communication mechanism between CMPS 2302 and the MPEG-4 player (via 
CMPOs) 

• A content release and decryption subsystem 

• Version authentication subsystem 

• Sufficient performance so as not to interfere with the stream processing in the 
MPEG-4 components 

CMPS 2302 may have a bi-directional side-channel that is external to the MPEG-4 
player that may also be used for the exchange of CMP information. Furthermore, the 
CMPS designer may choose to provide a user interface API that provides the user with the 
ability to communicate with the content and rights management side of the stream 
management (e.g., through Line 2316). 

Encrypted content is decrypted and released by CMPS 2302 as a function of the 
rules associated with the protected content and the results of user interaction with CMPS 
2302. Unencrypted content is passed through CMPS 2302 and is governed by associated 
rules and user interaction with CMPS 2302. As a consequence of these rules and user 
interaction, CMPS 2302 may need to transact with the SDG and AVO coding modules 
(e.g., 2310, 23 1 1) to change scene structure and/or the QoS grade. 

Ultimately, the CMPS designer may choose to have CMPS 2302 generate audit trail 
information that may be sent to a clearinghouse authority via CMPS Side Channel Port 
23 18 or as encrypted content that is packaged in the MPEG-4 bit stream. 

The MPEG-4 vl Systems CD uses the term "object" loosely. In this document, 
"object" is used to specifically mean a data structure that flows from one or more of the 
data paths in Figure 23. 

Using multiple SD-graph update streams, each with its own CMPO, allows an 
author to apply arbitrarily specific controls to the SD-graph. For example, each node in the 
SD-graph can be created or modified by a separate SD-graph update stream. Each of these 
streams will have a distinct CMPO and ID. Thus, the CMPS can release and decrypt the 
creation and modification of each node and receive feedback information for each node 
individually. The practical implications for controlling release and implementing 
consequences should be comparable to having a CMPO on each node of the SD-graph, 
without the costs of having a CMPO on each SD-graph node. 

Principles consistent with the present invention may be illustrated using the 
following examples: 

In the first example, there is a bilingual video with either an English or French 
soundtrack. The user can choose during playback to hear either the English or French. The 
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basic presentation costs SI. If the French soundtrack is presented there is a $0.50 surcharge. 
If the user switches back and forth between French and English, during a single viewing of 
the presentation, the $0.50 surcharge will occur only once. 

In this example, there will be four elementary streams: 

The Scene Description Graph Update stream will have a CMPO. The CMPO will 
imply a $1 .00 fee associated with the use of the content. The scene description graph 
displays the video, English audio and puts up a button that allows the user to switch to 
French. If the user clicks that button, the English stops, the French picks up from that point 
and the button changes to a switch-to-English button. (Optionally, there may be a little 
dialog at the beginning to allow the user to select the initial language. This is all easy to do 
in the SD graph.) 

The Video Stream with the CMPO will say that it can only be released if the scene 
description graph update stream above is released. 

The English Audio Stream will be similar to the Video stream. 

The French Audio Stream will be similar to the Video stream but there is a $.50 
charge it if is seen in the feedback channel. (The CMPS must to not count twice if the user 
switches between the two in a single play of the presentation.) 

An important requirement is that the ID for the SD-graph update stream appears in 
the feedback path (e.g., Feedback Path 2313). This is so CMPS 2302 knows when the 
presentation stops and ends so that CMPS 2302 can correctly bill for the French audio. 

The rules governing the release of the video and audio streams may include some 
variations. The rules for these streams, for example, may state something like "if you don't 
see the id for the scene description graph update stream X in the feedback channel, halt 
release of this stream." If the main presentation is not on the display, then the video should 
not be. This ties the video to this one presentation. Using the video in some other 
presentation would require access to the original video, not just this protected version of it. 

In a second example, an author wants to have a presentation with a free attract 
sequence or "trailer". If the user clicks the correct button the system moves into the for-fee 
presentation, which is organized as a set of "acts". 

Multiple SD-graph update streams may update a scene description graph. Multiple 
SD-graph update streams may be open in parallel. The time stamps on the ALUs in the 
streams are used to synchronize and coordinate. 

The trailer and each act are represented by a separate SD-graph update stream with a 
separate CMPO. There is likely an additional SD-graph update stream that creates a simple 
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root node that is invisible and silent. This node brings in the other components of the 
presentation as needed. 

The foregoing description of implementations of the invention has been presented 
for purposes of illustration and description. It is not exhaustive and does not limit the 
invention to the precise form disclosed. Modifications and variations are possible in light 
of the above teachings or may be acquired from practicing of the invention. For example, 
the described implementation includes software but the present invention may be 
implemented as a combination of hardware and software or in hardware alone. The 
invention may be implemented with both object-oriented and non-object-oriented 
programming systems. The scope of the invention is defined by the claims and their 
equivalents. 
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We claim: 

1 . A streaming media player providing content protection and digital rights 
management, including: 

a port configured to receive a digital bit stream, the digital bit stream including: 
content which is encrypted at least in part, and 

a secure container including control information for controlling use of the 
content including at least one key suitable for decryption of at least a portion of the 
content; and 

a control arrangement including: 

means for opening secure containers and extracting cryptographic keys, and 
means for decrypting the encrypted portion of the content. 

2. The player of Claim 1 in which the digital bit stream includes at least two 
sub-streams which have been muxed together, at least one of the sub-streams including 
compressed information, and 

wherein the player further includes: 

a demux designed to separate and route the sub-streams; 

a decompression unit configured to decompress at least one of the sub-streams, the 
decompression unit and the demux being connected by a pathway for the transmission of 
information; and 

a rendering unit designed to process decompressed content information for 
rendering. 

3 . The player of Claim 2, further including: 

a stream controller operatively connected to the decompression unit, the stream 
controller including decryption functionality configured to decrypt at least a portion of a 
sub-stream and pass the decrypted sub-stream to the decompression unit. 

4. The player of Claim 3, further including: 

a path between the control arrangement and the stream controller to enable the 
control arrangement to pass at least one key to the stream controller for use with the stream 
controller's decryption functionality. 

5. The player of Claim 4, further including: 

a feedback path from the rendering unit to the control arrangement to allow the 
control arrangement to receive information from the rendering unit regarding the 
identification of objects which are to be rendered or have been rendered. 

6. The player of Claim 1 , wherein the digital bit stream is encoded in MPEG-4 

format. 
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7. The player of Claim 1 , wherein the digital bit stream is encoded in MP3 

format. 

8. The player of Claim 4, wherein the control arrangement contains a rule or 
rule set associated with governance of at least one sub-stream or object. 

9. The player of Claim 8, wherein the rule or rule set is delivered from an 
external source. 

1 0. The player of Claim 9, wherein the rule or rule set is delivered as part of the 
digital bit stream. 

11. The player of Claim 8, wherein the rule or rule set specifies conditions 
under which the governed sub-stream or object may be decrypted. 

1 2. The player of Claim 8, wherein the rule or rule set governs at least one 
aspect of access to or use of the governed sub-stream or object. 

13. The player of Claim 12, wherein the governed aspect includes making copies 
of the governed sub-stream or object. 

14. The player of Claim 12, wherein the governed aspect includes transmitting 
the governed sub-stream or object through a digital output port. 

15. The player of Claim 14, wherein the rule or rule set specifies that the 
governed sub-stream or object can be transferred to a second device, but rendering of the 
governed sub-stream or object must be disabled in the first device prior to or during the 
transfer. 

1 6. The player of Claim 1 5, wherein the second device includes rendering 
capability, lacks at least one feature present in the streaming media player, and is at least 
somewhat more portable than the streaming media player. 

17. The player of Claim 1 1 , wherein the control arrangement contains at least 
two rules governing access to or use of the same governed sub-stream or object. 

18. The player of Claim 1 7, wherein a first of the two rules was supplied by a 
first entity, and the second of the two rules was supplied by a second entity. 

19. The player of Claim 1 8, wherein the first rule controls at least one aspect of 
operation of the second rule. 

20. The player of Claim 1 2, wherein the governed aspect includes use of at least 
one budget. 

21. The player of Claim 12, wherein the governed aspect includes a requirement 
that audit information be provided. 

22. The player of Claim 1 , wherein the control arrangement includes tamper 
resistance. 
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23. A digital bit stream including: 

content information that is compressed and at least in part encrypted; and 
a secure container including 

governance information for the governance of at least one aspect of 
access to or use of at least a portion of the content information; and 

a key for decryption of at least a portion of the encrypted content 
information. 

24. The digital bit stream of Claim 23 ? wherein the content information is 
encoded in MPEG-4 format. 

25. The digital bit stream of Claim 23, wherein the content information is 
encoded in MP3 format. 

26. A method of rendering a protected digital bit stream including: 
receiving the protected digital bit stream, 

passing the protected digital bit stream to a media player, 

the media player reading first header information identifying a plugin used 
to process the protected digital bit stream, the first header information 
indicating that a first plugin is required; 

the media player calling the first plugin; 

the media player passing the protected digital bit stream to the first plugin; 
the first plugin decrypting at least a portion of the protected digital bit stream; 
the first plugin reading second header information identifying a second plugin 
necessary in order to render the decrypted digital bit stream; 
the first plugin calling the second plugin; 

the first plugin passing the decrypted digital bit stream to the second plugin; 
the second plugin processing the decrypted digital bit stream, the processing 
including decompressing at least a portion of the decrypted digital bit stream; 
the second plugin passing the decrypted and processed digital bit stream to the 
media player; and 

the media player enabling rendering of the decrypted and processed digital bit 
stream, 

whereby the first plugin may be used in an architecture not designed for 
multiple stages of plugin processing. 
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